EulerOS 2.0 SP12 : kernel (EulerOS-SA-2026-2535)

high Nessus Plugin ID 326222

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

Input: alps - fix use-after-free bugs caused by dev3_register_work(CVE-2025-68822)

ext4: reject mount if bigalloc with s_first_data_block != 0(CVE-2026-31447)

tls: Fix race condition in tls_sw_cancel_work_tx()(CVE-2026-23240)

apparmor: replace recursive profile removal with iterative approach(CVE-2026-23404)

ethtool: Avoid overflowing userspace buffer on stats query(CVE-2025-68795)

ipv6: avoid overflows in ip6_datagram_send_ctl()(CVE-2026-31415)

ceph: add a bunch of missing ceph_path_info initializers(CVE-2026-43408)

netfilter: nf_conntrack_helper: pass helper to expect cleanup(CVE-2026-43027)

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()(CVE-2026-23457)

PM: runtime: Fix a race condition related to device removal(CVE-2026-23452)

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()(CVE-2026-31423)

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()(CVE-2026-31586)

drm/ioc32: stop speculation on the drm_compat_ioctl path(CVE-2026-31781)

module: Fix kernel panic when a symbol st_shndx is out of bounds(CVE-2026-31521)

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN(CVE-2026-23472)

net/tcp-md5: Fix MAC comparison to be constant-time(CVE-2026-43383)

ext4: avoid infinite loops caused by residual data(CVE-2026-31448)

smb: client: Don#39;t log plaintext credentials in cifs_set_cifscreds(CVE-2026-23303)

dmaengine: idxd: Fix memory leak when a wq is reset(CVE-2026-31441)

bridge: br_nd_send: linearize skb before parsing ND options(CVE-2026-31682)

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit(CVE-2026-23277)

crypto: af_alg - limit RX SG extraction by receive buffer budget(CVE-2026-31677)

netfilter: xt_CT: drop pending enqueued packets on template removal(CVE-2026-23391)

apparmor: validate DFA start states are in bounds in unpack_pdb(CVE-2026-23269)

net: bonding: fix use-after-free in bond_xmit_broadcast()(CVE-2026-31419)

NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd(CVE-2026-31403)

ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()(CVE-2026-31531)

netfilter: ipset: drop logically empty buckets in mtype_del(CVE-2026-31418)

dcache: Limit the minimal number of bucket to two(CVE-2026-43071)

HID: multitouch: Check to ensure report responses match the request(CVE-2026-43047)

smb: client: fix krb5 mount with username option(CVE-2026-31392)

net: usb: kaweth: validate USB endpoints(CVE-2026-23312)

net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check(CVE-2026-23448)

nvmet: move async event work off nvmet-wq(CVE-2026-31557)

NFSD: Defer sub-object cleanup in export put callbacks(CVE-2026-31404)

apparmor: fix side-effect bug in match_char() macro usage(CVE-2026-23406)

nfnetlink_osf: validate individual option lengths in fingerprints(CVE-2026-23397)

Squashfs: check metadata block offset is within range(CVE-2026-23388)

net: add xmit recursion limit to tunnel xmit functions(CVE-2026-23276)

libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()(CVE-2026-43407)

xfs: fix undersized l_iclog_roundoff values(CVE-2026-43365)

ixgbevf: add missing negotiate_features op to Hyper-V ops table(CVE-2026-43094)

drm/vmwgfx: Return the correct value in vmw_translate_ptr functions(CVE-2026-23317)

af_unix: read UNIX_DIAG_VFS data under unix_state_lock(CVE-2026-31673)

af_key: validate families in pfkey_send_migrate()(CVE-2026-31515)

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path(CVE-2026-31708)

usb: cdns3: gadget: fix NULL pointer dereference in ep_queue(CVE-2026-31755)

netfilter: nfnetlink_log: account for netlink header size(CVE-2026-31416)

sunrpc: fix cache_request leak in cache_release(CVE-2026-31400)

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()(CVE-2026-31436)

net: usb: kalmia: validate USB endpoints(CVE-2026-23365)

ptrace: slightly saner #39;get_dumpable()#39; logic(CVE-2026-46333)

net: usb: pegasus: validate USB endpoints(CVE-2026-23290)

bonding: provide a net pointer to __skb_flow_dissect()(CVE-2026-23119)

KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION(CVE-2026-31590)

nvme-fc: release admin tagset if init fails(CVE-2026-23261)

icmp: fix NULL pointer dereference in icmp_tag_validation()(CVE-2026-23398)

netfilter: nft_ct: fix use-after-free in timeout object destroy(CVE-2026-31665)

net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback(CVE-2026-43057)

netfilter: nf_conntrack_expect: skip expectations in other netns via proc(CVE-2026-31496)

HID: alps: fix NULL pointer dereference in alps_raw_event()(CVE-2026-31625)

net: usb: pegasus: enable basic endpoint checking(CVE-2026-43156)

udp: Fix wildcard bind conflict check when using hash2(CVE-2026-31503)

net/sched: sch_netem: fix out-of-bounds access in packet corruption(CVE-2026-31675)

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check(CVE-2026-23447)

netfilter: ip6t_eui64: reject invalid MAC header for all packets(CVE-2026-31685)

net: openvswitch: Avoid releasing netdev before teardown completes(CVE-2026-31508)

net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled(CVE-2026-23293)

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels(CVE-2026-23274)

HID: core: Mitigate potential OOB by removing bogus memset()(CVE-2026-43048)

x86/CPU/AMD: Add RDSEED fix for Zen5(CVE-2025-68313)

net: ipv6: flowlabel: defer exclusive option free until RCU teardown(CVE-2026-31680)

mmc: vub300: fix NULL-deref on disconnect(CVE-2026-31651)

ipv6: add NULL checks for idev in SRv6 paths(CVE-2026-23442)

openvswitch: defer tunnel netdev_put to RCU release(CVE-2026-31678)

x86/apic: Disable x2apic on resume if the kernel expects so(CVE-2026-43363)

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()(CVE-2026-23455)

virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false(CVE-2026-31469)

netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()(CVE-2026-23458)

net: consume xmit errors of GSO frames(CVE-2026-43194)

dmaengine: idxd: Fix not releasing workqueue on .release()(CVE-2026-43064)

nvdimm/bus: Fix potential use after free in asynchronous initialization(CVE-2026-31399)

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache(CVE-2026-31402)

ext4: publish jinode after initialization(CVE-2026-31450)

net/sched: teql: Fix double-free in teql_master_xmit(CVE-2026-23449)

media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex(CVE-2026-31473)

ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()(CVE-2026-31426)

crypto: af-alg - fix NULL pointer dereference in scatterwalk(CVE-2026-43043)

netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()(CVE-2026-31674)

sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting(CVE-2026-23371)

apparmor: fix race on rawdata dereference(CVE-2026-23410)

apparmor: Fix double free of ns_name in aa_replace_profiles()(CVE-2026-23408)

e1000/e1000e: Fix leak in DMA error cleanup(CVE-2026-43445)

futex: Clear stale exiting pointer in futex_lock_pi() retry path(CVE-2026-31555)

apparmor: fix race between freeing data and fs accessing it(CVE-2026-23411)

netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case(CVE-2026-23456)

driver core: platform: use generic driver_override infrastructure(CVE-2026-31527)

xfs: stop reclaim before pushing AIL during unmount(CVE-2026-31455)

netfilter: nf_tables: unconditionally bump set-gt;nelems before insertion(CVE-2026-23272)

ceph: supply snapshot context in ceph_zero_partial_object()(CVE-2026-43273)

ext4: convert inline data to extents when truncate exceeds inline size(CVE-2026-31452)

apparmor: fix differential encoding verification(CVE-2026-23409)

HID: core: clamp report_size in s32ton() to avoid undefined shift(CVE-2026-31624)

EFI/CPER: don#39;t dump the entire memory region(CVE-2026-43171)

pstore: ram_core: fix incorrect success return when vmap() fails(CVE-2026-43124)

USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts(CVE-2026-43429)

net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs(CVE-2026-23340)

scsi: target: Fix recursive locking in __configfs_open_file()(CVE-2026-23292)

netfilter: ctnetlink: use netlink policy range checks(CVE-2026-31495)

netfilter: nft_set_pipapo: split gc into unlink and reclaim phase(CVE-2026-23351)

kprobes: avoid crash when rmmod/insmod after ftrace killed(CVE-2026-43409)

xfs: avoid dereferencing log items after push callbacks(CVE-2026-31453)

net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop(CVE-2026-23300)

netfilter: x_tables: ensure names are nul-terminated(CVE-2026-43028)

apparmor: fix: limit the number of levels of policy namespaces(CVE-2026-23405)

net/sched: cls_fw: fix NULL pointer dereference on shared blocks(CVE-2026-31421)

openvswitch: validate MPLS set/set_masked payload length(CVE-2026-31679)

perf: Fix __perf_event_overflow() vs perf_remove_from_context() race(CVE-2026-23271)

bpf: Fix regsafe() for pointers to packet(CVE-2026-43030)

tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG(CVE-2026-31662)

net/sched: cls_flow: fix NULL pointer dereference on shared blocks(CVE-2026-31422)

KVM: x86: Use scratch field in MMIO fragment to hold small write values(CVE-2026-31588)

PCI: Fix pci_slot_trylock() error handling(CVE-2026-43211)

net: rfkill: prevent unlimited numbers of rfkill events from being created(CVE-2026-31670)

apparmor: fix unprivileged local user can do privileged policy management(CVE-2026-23268)

comedi: dt2815: add hardware detection to prevent crash(CVE-2026-31751)

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp(CVE-2026-31427)

ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()(CVE-2026-23304)

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()(CVE-2026-23407)

xfs: save ailp before dropping the AIL lock in push callbacks(CVE-2026-31454)

ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()(CVE-2026-43068)

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen(CVE-2026-23253)

ext4: validate p_idx bounds in ext4_ext_correct_indexes(CVE-2026-31449)

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD(CVE-2026-31428)

xfrm: prevent policy_hthresh.work from racing with netns teardown(CVE-2026-31516)

media: dvb-net: fix OOB access in ULE extension header tables(CVE-2026-31405)

perf/x86/intel/uncore: Fix die ID init and look up bugs(CVE-2026-43344)

crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption(CVE-2026-43033)

powerpc, perf: Check that current-gt;mm is alive before getting user callchain(CVE-2026-43416)

net: phy: register phy led_triggers during probe to avoid AB-BA deadlock(CVE-2026-23368)

net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled(CVE-2026-23381)

perf/x86/intel/uncore: Skip discovery table for offline dies(CVE-2026-43079)

apparmor: fix memory leak in verify_header(CVE-2026-23403)

nvme-pci: ensure we#39;re polling a polled queue(CVE-2026-31523)

xfrm: clear trailing padding in build_polexpire()(CVE-2026-31664)

x86/efi: defer freeing of boot services memory(CVE-2026-23352)

netfilter: nf_conntrack_expect: use expect-gt;helper(CVE-2026-31414)

net: add proper RCU protection to /proc/net/ptype(CVE-2026-23255)

ice: Fix memory leak in ice_set_ringparam()(CVE-2026-23389)

usb: typec: ucsi: validate connector number in ucsi_notify_common()(CVE-2026-31729)

ipv6: icmp: clear skb2-gt;cb[] in ip6_err_gen_icmpv6_unreach()(CVE-2026-43038)

netfilter: nf_conntrack_h323: fix OOB read in decode_choice()(CVE-2026-43233)

net: skbuff: propagate shared-frag marker through frag-transfer helpers(CVE-2026-43503)

mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()(CVE-2026-43281)

netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()(CVE-2026-43453)

xfs: fix freemap adjustments when adding xattrs to leaf blocks(CVE-2026-43158)

xfs: delete attr leaf freemap entries when empty(CVE-2026-43187)

netfilter: x_tables: guard option walkers against 1-byte tail reads(CVE-2026-43452)

crypto: pcrypt - Fix handling of MAY_BACKLOG requests(CVE-2026-43493)

netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()(CVE-2026-43450)

usb: ulpi: fix double free in ulpi_register_interface() error path(CVE-2026-31759)

net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info- leak(CVE-2026-43040)

ip6_tunnel: clear skb2-gt;cb[] in ip4ip6_err()(CVE-2026-43037)

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode(CVE-2026-43180)

usb: usbtmc: Flush anchored URBs in usbtmc_release(CVE-2026-31758)

netfilter: nft_ct: drop pending enqueued packets on removal(CVE-2026-43060)

Tenable has extracted the preceding description block directly from the EulerOS kernel security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel packages.

See Also

http://www.nessus.org/u?822b5581

Plugin Details

Severity: High

ID: 326222

File Name: EulerOS_SA-2026-2535.nasl

Version: 1.1

Type: Local

Published: 7/10/2026

Updated: 7/10/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

Percentile: 99.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-43027

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:bpftool, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:python3-perf, p-cpe:/a:huawei:euleros:kernel-abi-stablelists, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/10/2026

Vulnerability Publication Date: 12/16/2025

Reference Information

CVE: CVE-2025-68313, CVE-2025-68795, CVE-2025-68822, CVE-2026-23119, CVE-2026-23240, CVE-2026-23253, CVE-2026-23255, CVE-2026-23261, CVE-2026-23268, CVE-2026-23269, CVE-2026-23271, CVE-2026-23272, CVE-2026-23274, CVE-2026-23276, CVE-2026-23277, CVE-2026-23290, CVE-2026-23292, CVE-2026-23293, CVE-2026-23300, CVE-2026-23303, CVE-2026-23304, CVE-2026-23312, CVE-2026-23317, CVE-2026-23340, CVE-2026-23351, CVE-2026-23352, CVE-2026-23365, CVE-2026-23368, CVE-2026-23371, CVE-2026-23381, CVE-2026-23388, CVE-2026-23389, CVE-2026-23391, CVE-2026-23397, CVE-2026-23398, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407, CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411, CVE-2026-23442, CVE-2026-23447, CVE-2026-23448, CVE-2026-23449, CVE-2026-23452, CVE-2026-23455, CVE-2026-23456, CVE-2026-23457, CVE-2026-23458, CVE-2026-23472, CVE-2026-31392, CVE-2026-31399, CVE-2026-31400, CVE-2026-31402, CVE-2026-31403, CVE-2026-31404, CVE-2026-31405, CVE-2026-31414, CVE-2026-31415, CVE-2026-31416, CVE-2026-31418, CVE-2026-31419, CVE-2026-31421, CVE-2026-31422, CVE-2026-31423, CVE-2026-31426, CVE-2026-31427, CVE-2026-31428, CVE-2026-31436, CVE-2026-31441, CVE-2026-31447, CVE-2026-31448, CVE-2026-31449, CVE-2026-31450, CVE-2026-31452, CVE-2026-31453, CVE-2026-31454, CVE-2026-31455, CVE-2026-31469, CVE-2026-31473, CVE-2026-31495, CVE-2026-31496, CVE-2026-31503, CVE-2026-31508, CVE-2026-31515, CVE-2026-31516, CVE-2026-31521, CVE-2026-31523, CVE-2026-31527, CVE-2026-31531, CVE-2026-31555, CVE-2026-31557, CVE-2026-31586, CVE-2026-31588, CVE-2026-31590, CVE-2026-31624, CVE-2026-31625, CVE-2026-31651, CVE-2026-31662, CVE-2026-31664, CVE-2026-31665, CVE-2026-31670, CVE-2026-31673, CVE-2026-31674, CVE-2026-31675, CVE-2026-31677, CVE-2026-31678, CVE-2026-31679, CVE-2026-31680, CVE-2026-31682, CVE-2026-31685, CVE-2026-31708, CVE-2026-31729, CVE-2026-31751, CVE-2026-31755, CVE-2026-31758, CVE-2026-31759, CVE-2026-31781, CVE-2026-43027, CVE-2026-43028, CVE-2026-43030, CVE-2026-43033, CVE-2026-43037, CVE-2026-43038, CVE-2026-43040, CVE-2026-43043, CVE-2026-43047, CVE-2026-43048, CVE-2026-43057, CVE-2026-43060, CVE-2026-43064, CVE-2026-43068, CVE-2026-43071, CVE-2026-43079, CVE-2026-43094, CVE-2026-43124, CVE-2026-43156, CVE-2026-43158, CVE-2026-43171, CVE-2026-43180, CVE-2026-43187, CVE-2026-43194, CVE-2026-43211, CVE-2026-43233, CVE-2026-43273, CVE-2026-43281, CVE-2026-43344, CVE-2026-43363, CVE-2026-43365, CVE-2026-43383, CVE-2026-43407, CVE-2026-43408, CVE-2026-43409, CVE-2026-43416, CVE-2026-43429, CVE-2026-43445, CVE-2026-43450, CVE-2026-43452, CVE-2026-43453, CVE-2026-43493, CVE-2026-43503, CVE-2026-46333