Detections
Analytics

Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2026-50293)

high Nessus Plugin ID 318589

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-50293 advisory.

 - net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug:
 39442660] {CVE-2026-46300}
 - ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39407652] {CVE-2026-46333}
 - x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39218893] {CVE-2025-54518}
 - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (Hyunwoo Kim) [Orabug: 39334587] {CVE-2026-43500}
 - xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39334587] {CVE-2026-43284}
 - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167615] {CVE-2026-31402}
 - netfilter: nf_tables: always walk all pending catchall elements (Florian Westphal) [Orabug: 39110670] {CVE-2026-23278}
 - net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (Victor Nogueira) [Orabug: 39103229] {CVE-2026-23270}
 - netfilter: nfnetlink_queue: make hash table per queue (Florian Westphal) [Orabug: 39339273] {CVE-2026-43084}
 - crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Herbert Xu) [Orabug:
 39250685,39331108] {CVE-2026-43078}
 - crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Herbert Xu) [Orabug:
 39250685,39300909] {CVE-2026-43033}
 - crypto: algif_aead - Revert to operating out-of-place (Herbert Xu) [Orabug:
 39250685,39283866,39291972,39292190] {CVE-2026-31431}
 - x86/CPU: Fix FPDSS on Zen1 (Borislav Petkov) [Orabug: 39241227,39273721] {CVE-2026-31628}
 - ipv6: use RCU in ip6_xmit() (Eric Dumazet) [Orabug: 38649060,39186444,39202432] {CVE-2025-40135}
 - dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (Eric Dumazet) [Orabug:
 38887740,39181101,39202431] {CVE-2026-23004}
 - net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled (Fernando Fernandez Mancera) [Orabug:
 39029337,39131054] {CVE-2026-23381}
 - io_uring/kbuf: check if target buffer list is still legacy on recycle (Jens Axboe) [Orabug:
 39144150,39343763] {CVE-2026-43366}
 - spi: tegra210-quad: Protect curr_xfer check in IRQ handler (Breno Leitao) [Orabug: 38970584,39166116] {CVE-2026-23207}
 - tracing: Add NULL pointer check to trigger_data_free() (Guenter Roeck) [Orabug: 39227772] {CVE-2026-23309}
 - bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR (Daniel Wade) [Orabug: 39198231] {CVE-2026-31413}
 - Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req (Minseo Park) [Orabug: 39251164] {CVE-2026-31513}
 - erofs: set fileio bio failed in short read case (Sheng Yong) [Orabug: 39251169] {CVE-2026-31514}
 - ACPI: processor: Fix previous acpi_processor_errata_piix4() fix (Rafael J. Wysocki) [Orabug: 39198208] {CVE-2026-23443}
 - wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom (Guenter Roeck) [Orabug:
 39262447] {CVE-2026-31552}
 - tracing: ring-buffer: Fix to check event length before using (Masami Hiramatsu) [Orabug: 39331678] {CVE-2026-43210}
 - net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() (Liu Ruitong) [Orabug: 39331784] {CVE-2026-43238}
 - cifs: some missing initializations on replay (Shyam Prasad N) [Orabug: 39300554] {CVE-2026-31693}
 - fbdev: of: display_timing: fix refcount leak in of_get_display_timings() (Weigang He) [Orabug: 39331889] {CVE-2026-43264}
 - fbcon: check return value of con2fb_acquire_newinfo() (Andrey Vatoropin) [Orabug: 39331303] {CVE-2026-43123}
 - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() (Junxi Qian) [Orabug: 39331577] {CVE-2026-43186}
 - procfs: fix possible double mmput() in do_procmap_query() (Andrii Nakryiko) [Orabug: 39339241] {CVE-2026-43178}
 - drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify (Pierre-Eric Pelloux-Prayer) [Orabug:
 39343623] {CVE-2026-43318}
 - ceph: supply snapshot context in ceph_zero_partial_object() (Ethanwu) [Orabug: 39331924] {CVE-2026-43273}
 - cifs: Fix locking usage for tcon fields (Shyam Prasad N) [Orabug: 39331696] {CVE-2026-43215}
 - PCI: Fix pci_slot_trylock() error handling (Jinhui Guo) [Orabug: 39331680] {CVE-2026-43211}
 - drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() (Sunday Clement) [Orabug: 39331661] {CVE-2026-43206}
 - usb: dwc3: gadget: Move vbus draw to workqueue context (Prashanth K) [Orabug: 39331512] {CVE-2026-43170}
 - scsi: ufs: core: Flush exception handling work when RPM level is zero (Thomas Yen) [Orabug: 39331937] {CVE-2026-43275}
 - perf/arm-cmn: Reject unsupported hardware configurations (Robin Murphy) [Orabug: 39331435] {CVE-2026-43150}
 - Revert 'PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV' (Niklas Schnelle) [Orabug: 39331422] {CVE-2026-43147}
 - kexec: derive purgatory entry from symbol (Li Chen) [Orabug: 39343538] {CVE-2026-43289}
 - ocfs2: fix reflink preserve cleanup issue (Heming Zhao) [Orabug: 39331504] {CVE-2026-43168}
 - vhost: move vdpa group bound check to vhost_vdpa (Eugenio Perez) [Orabug: 39331827] {CVE-2026-43248}
 - mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node (Deepanshu Kartikey) [Orabug: 39343546] {CVE-2026-43292}
 - md/bitmap: fix GPF in write_page caused by resize race (Jack Wang) [Orabug: 39331482] {CVE-2026-43163}
 - xfs: check for deleted cursors when revalidating two btrees (Darrick J. Wong) [Orabug: 39103129] {CVE-2026-23249}
 - xfs: check return value of xchk_scrub_create_subord (Darrick J. Wong) [Orabug: 39103131] {CVE-2026-23250}
 - xfs: only call xf{array,blob}_destroy if we have a valid pointer (Darrick J. Wong) [Orabug: 39103133] {CVE-2026-23251}
 - KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() (Vasiliy Kovalev) [Orabug: 39331693] {CVE-2026-43214}
 - xfs: fix freemap adjustments when adding xattrs to leaf blocks (Darrick J. Wong) [Orabug: 39331458] {CVE-2026-43158}
 - xfs: delete attr leaf freemap entries when empty (Darrick J. Wong) [Orabug: 39331580] {CVE-2026-43187}
 - mfd: core: Add locking around 'mfd_of_node_list' (Douglas Anderson) [Orabug: 39331409] {CVE-2026-43143}
 - iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode (Jinhui Guo) [Orabug:
 39331341] {CVE-2026-43130}
 - xfs: remove xfs_attr_leaf_hasname (Christoph Hellwig) [Orabug: 39331444] {CVE-2026-43153}
 - drm/buddy: Prevent BUG_ON by validating rounded allocation (Sanjay Yadav) [Orabug: 39331510] {CVE-2026-43169}
 - KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation (Yosry Ahmed) [Orabug: 39331358] {CVE-2026-43133}
 - dm: clear cloned request bio pointer when last clone bio completes (Michael Liang) [Orabug: 39331954] {CVE-2026-43278}
 - media: ipu6: Fix RPM reference leak in probe error paths (Bingbu Cao) [Orabug: 39331545] {CVE-2026-43177}
 - media: i2c/tw9906: Fix potential memory leak in tw9906_probe() (Abdun Nihaal) [Orabug: 39331821] {CVE-2026-43246}
 - media: i2c/tw9903: Fix potential memory leak in tw9903_probe() (Abdun Nihaal) [Orabug: 39331705] {CVE-2026-43218}
 - media: cx23885: Add missing unmap in snd_cx23885_hw_params() (Haoxiang Li) [Orabug: 39331366] {CVE-2026-43135}
 - media: cx88: Add missing unmap in snd_cx88_hw_params() (Haoxiang Li) [Orabug: 39331866] {CVE-2026-43257}
 - media: radio-keene: fix memory leak in error path (Shaurya Rane) [Orabug: 39331752] {CVE-2026-43231}
 - HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() (Gunther Noack) [Orabug: 39331370] {CVE-2026-43136}
 - HID: prodikeys: Check presence of pm->input_ep82 (Gunther Noack) [Orabug: 39331846] {CVE-2026-43251}
 - HID: magicmouse: Do not crash on missing msc->input (Gunther Noack) [Orabug: 39331389] {CVE-2026-43140}
 - HID: hid-pl: handle probe errors (Oliver Neukum) [Orabug: 39331440] {CVE-2026-43152}
 - KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding (Sean Christopherson) [Orabug: 39343613] {CVE-2026-43315}
 - dm-verity: correctly handle dm_bufio_client_create() failure (Eric Biggers) [Orabug: 39331353] {CVE-2026-43132}
 - ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls (Peter Ujfalusi) [Orabug:
 39331023] {CVE-2025-71286}
 - rpmsg: core: fix race in driver_override_show() and use core helper (Gui-Dong Han) [Orabug: 39331012] {CVE-2025-71274}
 - netfilter: nf_conntrack_h323: fix OOB read in decode_choice() (Vahagn Vardanian) [Orabug: 39331761] {CVE-2026-43233}
 - net: consume xmit errors of GSO frames (Jakub Kicinski) [Orabug: 39331606] {CVE-2026-43194}
 - net/mlx5e: Fix 'scheduling while atomic' in IPsec MAC address query (Jianbo Liu) [Orabug: 39331628] {CVE-2026-43199}
 - RDMA/umem: Fix double dma_buf_unpin in failure path (Jacob Moroni) [Orabug: 39331331] {CVE-2026-43128}
 - net: usb: pegasus: enable basic endpoint checking (Ziyi Guo) [Orabug: 39331449] {CVE-2026-43156}
 - tls: Fix race condition in tls_sw_cancel_work_tx() (Hyunwoo Kim) [Orabug: 39073883] {CVE-2026-23240}
 - Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ (Luiz Augusto von Dentz) [Orabug:
 39331361] {CVE-2026-43134}
 - bnxt_en: Fix RSS context delete logic (Pavan Chebbi) [Orabug: 39331875] {CVE-2026-43260}
 - net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode (Ziyi Guo) [Orabug: 39331549] {CVE-2026-43180}
 - xfrm: always flush state and policy upon NETDEV_UNREGISTER event (Tetsuo Handa) [Orabug: 39331496] {CVE-2026-43167}
 - xfrm6: fix uninitialized saddr in xfrm6_get_saddr() (Jiayuan Chen) [Orabug: 39331383] {CVE-2026-43139}
 - ALSA: usb-audio: Add sanity check for OOB writes at silencing (Takashi Iwai) [Orabug: 39331959] {CVE-2026-43279}
 - spi: spidev: fix lock inversion between spi_lock and buf_lock (Fabian Godehardt) [Orabug: 39343626] {CVE-2026-43319}
 - libceph: define and enforce CEPH_MAX_KEY_LEN (Ilya Dryomov) [Orabug: 39343577] {CVE-2026-43304}
 - netfilter: xt_tcpmss: check remaining length before reading optlen (Florian Westphal) [Orabug: 39331591] {CVE-2026-43190}
 - ext4: move ext4_percpu_param_init() before ext4_mb_init() (Baokun Li) [Orabug: 39343531] {CVE-2026-43288}
 - iommu/amd: move wait_on_sem() out of spinlock (Ankit Soni) [Orabug: 39331853] {CVE-2026-43253}
 - wifi: libertas: fix WARNING in usb_tx_block (Szymon Wilczek) [Orabug: 39331859] {CVE-2026-43255}
 - dm: remove fake timeout to avoid leak request (Ding Hui) [Orabug: 39343609] {CVE-2026-43314}
 - wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() (Bitterblue Smith) [Orabug: 39331003] {CVE-2025-71273}
 - wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() (Bitterblue Smith) [Orabug: 39343515] {CVE-2025-71297}
 - ALSA: mixer: oss: Add card disconnect checkpoints (Takashi Iwai) [Orabug: 39331318] {CVE-2026-43126}
 - ASoC: SOF: Intel: hda: Fix NULL pointer dereference (Ranjani Sridharan) [Orabug: 39331375] {CVE-2026-43137}
 - drm: Account property blob allocations to memcg (Xiao Kan) [Orabug: 39343527] {CVE-2026-43287}
 - media: v4l2-async: Fix error handling on steps after finding a match (Sakari Ailus) [Orabug: 39331585] {CVE-2026-43189}
 - media: solo6x10: Check for out of bounds chip_id (Kees Cook) [Orabug: 39343616] {CVE-2026-43316}
 - media: pvrusb2: fix URB leak in pvr2_send_request_ex (Szymon Wilczek) [Orabug: 39331719] {CVE-2026-43223}
 - drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src (Dmytro Laktyushkin) [Orabug:
 39331807] {CVE-2026-43243}
 - drm/amd/display: Fix dsc eDP issue (Charlene Liu) [Orabug: 39343628] {CVE-2026-43320}
 - drm/amdgpu: fix NULL pointer issue buffer funcs (Likun Gao) [Orabug: 39331070] {CVE-2025-71294}
 - pstore: ram_core: fix incorrect success return when vmap() fails (Ruipeng Qi) [Orabug: 39331308] {CVE-2026-43124}
 - bpf: crypto: Use the correct destructor kfunc type (Sami Tolvanen) [Orabug: 39343581] {CVE-2026-43306}
 - md-cluster: fix NULL pointer dereference in process_metadata_update (Jiasheng Jiang) [Orabug: 39331918] {CVE-2026-43271}
 - ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() (Tuo Li) [Orabug:
 39343603] {CVE-2026-43313}
 - EFI/CPER: don't go past the ARM processor CPER record buffer (Mauro Carvalho Chehab) [Orabug: 39331896] {CVE-2026-43266}
 - APEI/GHES: ARM processor Error: don't go past allocated memory (Mauro Carvalho Chehab) [Orabug:
 39331636] {CVE-2026-43201}
 - APEI/GHES: ensure that won't go past CPER allocated record (Mauro Carvalho Chehab) [Orabug: 39331947] {CVE-2026-43277}
 - EFI/CPER: don't dump the entire memory region (Mauro Carvalho Chehab) [Orabug: 39331518] {CVE-2026-43171}
 - arm64: Add support for TSV110 Spectre-BHB mitigation (Jinqian Yang) [Orabug: 39331877] {CVE-2026-43261}
 - smb: client: prevent races in ->query_interfaces() (Henrique Carvalho) [Orabug: 39331789] {CVE-2026-43239}
 - gfs2: fiemap page fault fix (Andreas Gruenbacher) [Orabug: 39331882] {CVE-2026-43262}
 - dlm: validate length in dlm_search_rsb_tree (Ziming Zhang) [Orabug: 39331312] {CVE-2026-43125}
 - fs/buffer: add alert in try_to_free_buffers() for folios without buffers (Deepakkumar Karn) [Orabug:
 39331077] {CVE-2025-71295}
 - macvlan: observe an RCU grace period in macvlan_common_newlink() error path (Eric Dumazet) [Orabug:
 39110677] {CVE-2026-23273}
 - net: atm: fix crash due to unvalidated vcc pointer in sigd_send() (Jiayuan Chen) [Orabug: 39188476] {CVE-2026-31411}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2026-50293.html

Plugin Details

Severity: High

ID: 318589

File Name: oraclelinux_ELSA-2026-50293.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/4/2026

Updated: 6/4/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-46300

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.3

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-54518

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek64k-modules-extra-netfilter, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek64k-modules-deprecated, p-cpe:/a:oracle:linux:kernel-uek-modules-core, p-cpe:/a:oracle:linux:kernel-uek-modules-extra, p-cpe:/a:oracle:linux:kernel-uek-modules-wireless, p-cpe:/a:oracle:linux:kernel-uek64k-modules-extra, p-cpe:/a:oracle:linux:kernel-uek-modules, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-core, p-cpe:/a:oracle:linux:kernel-uek64k, p-cpe:/a:oracle:linux:kernel-uek64k-modules, p-cpe:/a:oracle:linux:kernel-uek64k-modules-desktop, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-modules-deprecated, p-cpe:/a:oracle:linux:kernel-uek-modules-usb, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-wireless, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-extra-netfilter, p-cpe:/a:oracle:linux:kernel-uek64k-modules-usb, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-desktop, p-cpe:/a:oracle:linux:kernel-uek-debug-core, p-cpe:/a:oracle:linux:kernel-uek-modules-extra-netfilter, p-cpe:/a:oracle:linux:kernel-uek-tools, p-cpe:/a:oracle:linux:kernel-uek-debug-modules, cpe:/o:oracle:linux:10, p-cpe:/a:oracle:linux:kernel-uek64k-devel, p-cpe:/a:oracle:linux:kernel-uek-modules-desktop, p-cpe:/a:oracle:linux:kernel-uek64k-modules-wireless, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-usb, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-extra, p-cpe:/a:oracle:linux:kernel-uek64k-core, p-cpe:/a:oracle:linux:kernel-uek64k-modules-core, p-cpe:/a:oracle:linux:kernel-uek-core, p-cpe:/a:oracle:linux:kernel-uek-debug-modules-deprecated

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/2/2026

Vulnerability Publication Date: 4/9/2024

CISA Known Exploited Vulnerability Due Dates: 5/15/2026

Reference Information

CVE: CVE-2025-54518, CVE-2026-23270, CVE-2026-23278, CVE-2026-31402, CVE-2026-31431, CVE-2026-31628, CVE-2026-43033, CVE-2026-43078, CVE-2026-43084, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, CVE-2026-46333

IAVA: 2026-A-0428