[El-errata] ELSA-2026-13565 Important: Oracle Linux 9 kernel security update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Wed May 6 22:07:21 UTC 2026
Oracle Linux Security Advisory ELSA-2026-13565
http://linux.oracle.com/errata/ELSA-2026-13565.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
kernel-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-abi-stablelists-5.14.0-611.54.1.el9_7.noarch.rpm
kernel-core-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-cross-headers-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-core-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-devel-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-devel-matched-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-modules-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-modules-core-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-modules-extra-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-debug-uki-virt-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-devel-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-devel-matched-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-doc-5.14.0-611.54.1.el9_7.noarch.rpm
kernel-headers-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-modules-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-modules-core-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-modules-extra-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-tools-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-tools-libs-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-tools-libs-devel-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-uki-virt-5.14.0-611.54.1.el9_7.x86_64.rpm
kernel-uki-virt-addons-5.14.0-611.54.1.el9_7.x86_64.rpm
libperf-5.14.0-611.54.1.el9_7.x86_64.rpm
perf-5.14.0-611.54.1.el9_7.x86_64.rpm
python3-perf-5.14.0-611.54.1.el9_7.x86_64.rpm
rtla-5.14.0-611.54.1.el9_7.x86_64.rpm
rv-5.14.0-611.54.1.el9_7.x86_64.rpm
aarch64:
kernel-cross-headers-5.14.0-611.54.1.el9_7.aarch64.rpm
kernel-headers-5.14.0-611.54.1.el9_7.aarch64.rpm
kernel-tools-5.14.0-611.54.1.el9_7.aarch64.rpm
kernel-tools-libs-5.14.0-611.54.1.el9_7.aarch64.rpm
kernel-tools-libs-devel-5.14.0-611.54.1.el9_7.aarch64.rpm
libperf-5.14.0-611.54.1.el9_7.aarch64.rpm
perf-5.14.0-611.54.1.el9_7.aarch64.rpm
python3-perf-5.14.0-611.54.1.el9_7.aarch64.rpm
rtla-5.14.0-611.54.1.el9_7.aarch64.rpm
rv-5.14.0-611.54.1.el9_7.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-611.54.1.el9_7.src.rpm
Related CVEs:
CVE-2026-23136
CVE-2026-23270
CVE-2026-31402
CVE-2026-31431
Description of changes:
[5.14.0-611.54.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
[5.14.0-611.54.1]
- crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201]
- crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201]
- crypto: authencesn - reject short ahash digests during instance creation (Vladislav Dronov) [RHEL-172201]
- crypto: authencesn - Fix src offset when decrypting in-place (Vladislav Dronov) [RHEL-172201]
- crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Vladislav Dronov) [RHEL-172201] {CVE-2026-31431}
- crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (Vladislav Dronov) [RHEL-172201] {CVE-2026-23060}
- crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Vladislav Dronov) [RHEL-172201]
- crypto: af_alg - limit RX SG extraction by receive buffer budget (Vladislav Dronov) [RHEL-172201] {CVE-2026-31677}
- crypto: algif_aead - Revert to operating out-of-place (Vladislav Dronov) [RHEL-172201] {CVE-2026-31431}
- crypto: af-alg - fix NULL pointer dereference in scatterwalk (Vladislav Dronov) [RHEL-172201]
[5.14.0-611.53.1]
- tracing: Fix a warning when allocating buffered events fails (CKI KWF BOT) [RHEL-169366]
- tracing: Fix a possible race when disabling buffered events (CKI KWF BOT) [RHEL-169366]
- tracing: Fix incomplete locking when disabling buffered events (CKI KWF BOT) [RHEL-169366]
- thunderbolt: Fix wake on connect at runtime (Desnes Nunes) [RHEL-104807]
- thunderbolt: Fix a logic error in wake on connect (Desnes Nunes) [RHEL-104807]
- thunderbolt: Use wake on connect and disconnect over suspend (Desnes Nunes) [RHEL-104807]
- i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock" (David Arcari) [RHEL-155311]
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (CKI Backport Bot) [RHEL-157327] {CVE-2026-23270}
[5.14.0-611.52.1]
- libceph: reset sparse-read state in osd_fault() (CKI Backport Bot) [RHEL-150464] {CVE-2026-23136}
[5.14.0-611.51.1]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Scott Mayhew) [RHEL-167016] {CVE-2026-31402}
- i40e: support generic devlink param "max_mac_per_vf" (Mohammad Heib) [RHEL-121643]
- devlink: Add new "max_mac_per_vf" generic device param (Mohammad Heib) [RHEL-121643]
- i40e: improve VF MAC filters accounting (Mohammad Heib) [RHEL-121643]
[5.14.0-611.50.1]
- smb: client: fix krb5 mount with username option (Paulo Alcantara) [RHEL-158987]
- md/raid1: fix data lost for writemostly rdev (Nigel Croxon) [RHEL-143624]
More information about the El-errata
mailing list