Alibaba Cloud Linux 3 : 0209: kernel (ALINUX3-SA-2026:0209)

high Nessus Plugin ID 327664

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0209 advisory.

Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

CVE-2026-43499:
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue().
In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]

CVE-2026-43503:
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false.
The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes.
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and skb_gro_receive_list().
The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker.
The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently.
The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

CVE-2026-53166:
In the Linux kernel, the following vulnerability has been resolved:
futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task.
The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash.
Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20260209.xml

Plugin Details

Severity: High

ID: 327664

File Name: alinux3_sa_2026-0209.nasl

Version: 1.1

Type: Local

Published: 7/17/2026

Updated: 7/17/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

Percentile: 99.76

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-43503

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2026-43499

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules-extra, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-perf, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:perf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules-extra, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:bpftool, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-headers, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug

Required KB Items: Host/local_checks_enabled, Host/Alibaba/release, Host/Alibaba/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2026

Vulnerability Publication Date: 5/15/2026

Reference Information

CVE: CVE-2026-43499, CVE-2026-43503