{"id":"OESA-2026-2929","summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids-&gt;next_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids-&gt;next_id is passed to:\n\n       idr_alloc(&amp;ids-&gt;ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new-&gt;id = (new-&gt;seq &lt;&lt; ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp-&gt;id)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted.(CVE-2026-52923)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umem: Fix truncation for block sizes &gt;= 4G\n\nWhen the iommu is used the linearization of the mapping can give a single\nblock that is very large split across multiple SG entries.\n\nWhen __rdma_block_iter_next() reassembles the split SG entries it is\noverflowing the 32 bit stack values and computed the wrong DMA addresses\nfor blocks after the truncation.\n\nUse the right types to hold DMA addresses.(CVE-2026-53133)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nIB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN\n\nIn drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()\ncomputes the login request payload length as wc-&gt;byte_len minus\nISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.\nA remote iSER initiator can post a login Send work request carrying\nfewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows\nand login_req_len becomes negative.\n\nisert_rx_login_req() then reads that negative length back into a signed\nint, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the\nmin() is signed it keeps the negative value; the value is then passed as\nthe memcpy() length and sign-extended to a multi-gigabyte size_t. The\ncopy into the 8192-byte login-&gt;req_buf runs far out of bounds and\nfaults, crashing the target node. The login phase precedes iSCSI\nauthentication, so no credentials are required to reach this path.\n\nReject any login PDU shorter than ISER_HEADERS_LEN before the\nsubtraction, mirroring the existing early return on a failed work\ncompletion, so login_req_len can never go negative. The upper bound was\nalready safe: a posted login buffer cannot deliver more than\nISER_RX_PAYLOAD_SIZE, so the difference stays at or below\nMAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing\nlower bound needs to be added.(CVE-2026-53176)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: kl5kusb105: fix bulk-out buffer overflow\n\nklsi_105_prepare_write_buffer() is called by the generic write path\nwith the bulk-out buffer and its size (bulk_out_size, 64 bytes). It\nstores a two-byte length header at the start of the buffer and copies\nthe payload from the write fifo starting at buf + KLSI_HDR_LEN, but\npasses the full buffer size as the number of bytes to copy:\n\n  count = kfifo_out_locked(&amp;port-&gt;write_fifo, buf + KLSI_HDR_LEN,\n                           size, &amp;port-&gt;lock);\n\nWhen the fifo holds at least size bytes, size bytes are copied starting\ntwo bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its\nend. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for\nthe header as safe_serial already does.\n\nWriting bulk_out_size or more bytes to the tty triggers a slab\nout-of-bounds write, observed with KASAN by emulating the device with\ndummy_hcd and raw-gadget:\n\n  BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0\n  Write of size 64 at addr ffff888112c62202 by task python3\n   kfifo_copy_out\n   klsi_105_prepare_write_buffer [kl5kusb105]\n   usb_serial_generic_write_start [usbserial]\n  Allocated by task 139:\n   usb_serial_probe [usbserial]\n  The buggy address is located 2 bytes inside of allocated 64-byte region\n\nThe out-of-bounds write no longer occurs with this change applied.(CVE-2026-53194)","modified":"2026-07-09T13:00:11.761366679Z","published":"2026-07-09T12:52:22Z","upstream":["CVE-2026-52923","CVE-2026-53133","CVE-2026-53176","CVE-2026-53194"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2929"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52923"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53133"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53176"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53194"}],"affected":[{"package":{"name":"kernel","ecosystem":"openEuler:20.03-LTS-SP4","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2607.1.0.0379.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm"],"x86_64":["bpftool-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm"],"src":["kernel-4.19.90-2607.1.0.0379.oe2003sp4.src.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2026-2929.json"}}],"schema_version":"1.7.5"}