{"schema_version":"1.7.2","id":"OESA-2026-1340","modified":"2026-02-13T13:14:46Z","published":"2026-02-13T13:14:46Z","upstream":["CVE-2023-54284","CVE-2025-40018","CVE-2025-68285","CVE-2026-23003"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: av7110: prevent underflow in write_ts_to_decoder()\n\nThe buf[4] value comes from the user via ts_play().  It is a value in\nthe u8 range.  The final length we pass to av7110_ipack_instant_repack()\nis "len - (buf[4] + 1) - 4" so add a check to ensure that the length is\nnot negative.  It's not clear that passing a negative len value does\nanything bad necessarily, but it's not best practice.\n\nWith the new bounds checking the "if (!len)" condition is no longer\npossible or required so remove that.(CVE-2023-54284)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp->app pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately.(CVE-2025-40018)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n    kfree(monc->monmap);\n    monc->monmap = monmap;\n\n    ceph_osdmap_destroy(osdc->osdmap);\n    osdc->osdmap = newmap;\n\nunder client->monc.mutex and client->osdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it's possible for\nclient->monc.monmap->epoch and client->osdc.osdmap->epoch arms in\n\n    client->monc.monmap && client->monc.monmap->epoch &&\n        client->osdc.osdmap && client->osdc.osdmap->epoch;\n\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n    ...\n    Call Trace:\n    <TASK>\n    have_mon_and_osd_map+0x56/0x70\n    ceph_open_session+0x182/0x290\n    ceph_get_tree+0x333/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n    </TASK>\n\n    Allocated by task 13305:\n    ceph_osdmap_alloc+0x16/0x130\n    ceph_osdc_init+0x27a/0x4c0\n    ceph_create_client+0x153/0x190\n    create_fs_client+0x50/0x2a0\n    ceph_get_tree+0xff/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n    Freed by task 9475:\n    kfree+0x212/0x290\n    handle_one_map+0x23c/0x3b0\n    ceph_osdc_handle_map+0x3c9/0x590\n    mon_dispatch+0x655/0x6f0\n    ceph_con_process_message+0xc3/0xe0\n    ceph_con_v1_try_read+0x614/0x760\n    ceph_con_workfn+0x2de/0x650\n    process_one_work+0x486/0x7c0\n    process_scheduled_works+0x73/0x90\n    worker_thread+0x1c8/0x2a0\n    kthread+0x2ec/0x300\n    ret_from_fork+0x24/0x40\n    ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient->monc.mutex and client->osdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client->auth_err under client->monc.mutex to match\nhow it's set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well.(CVE-2025-68285)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n  __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n  ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n  ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n  ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n  NF_HOOK include/linux/netfilter.h:318 [inline]\n  ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n  ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n  dst_input include/net/dst.h:474 [inline]\n  ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:318 [inline]\n  ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n  __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n  __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n  netif_receive_skb_internal net/core/dev.c:6338 [inline]\n  netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n  tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n  tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n  new_sync_write fs/read_write.c:593 [inline]\n  vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n  ksys_write fs/read_write.c:738 [inline]\n  __do_sys_write fs/read_write.c:749 [inline]\n  __se_sys_write fs/read_write.c:746 [inline]\n  __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n  x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:4960 [inline]\n  slab_alloc_node mm/slub.c:5263 [inline]\n  kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n  kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n  __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n  alloc_skb include/linux/skbuff.h:1383 [inline]\n  alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n  sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n  tun_alloc_skb drivers/net/tun.c:1461 [inline]\n  tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n  tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n  new_sync_write fs/read_write.c:593 [inline]\n  vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n  ksys_write fs/read_write.c:738 [inline]\n  __do_sys_write fs/read_write.c:749 [inline]\n  __se_sys_write fs/read_write.c:746 [inline]\n  __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n  x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025(CVE-2026-23003)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2602.2.0.0362.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","perf-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2602.2.0.0362.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","perf-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2602.2.0.0362.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1340"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54284"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40018"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68285"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23003"}],"database_specific":{"severity":"High"}}