[El-errata] ELSA-2026-50271 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update

Thu May 14 22:42:36 UTC 2026

Oracle Linux Security Advisory ELSA-2026-50271

http://linux.oracle.com/errata/ELSA-2026-50271.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

aarch64:
bpftool-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-container-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-container-debug-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-core-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-debug-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-debug-core-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-debug-devel-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-debug-modules-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-debug-modules-extra-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-devel-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-doc-5.15.0-320.202.8.3.el9uek.noarch.rpm
kernel-uek-modules-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek-modules-extra-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek64k-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek64k-core-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek64k-devel-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek64k-modules-5.15.0-320.202.8.3.el9uek.aarch64.rpm
kernel-uek64k-modules-extra-5.15.0-320.202.8.3.el9uek.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-uek-5.15.0-320.202.8.3.el9uek.src.rpm

Related CVEs:

CVE-2026-23270
CVE-2026-31402

Description of changes:

[5.15.0-320.202.8.3]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton)  [Orabug: 39362036]  {CVE-2026-31402}
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (Victor Nogueira)  [Orabug: 39362005]  {CVE-2026-23270}
- KVM: x86: disable preemption around the call to kvm_arch_vcpu_{un|}blocking (Maxim Levitsky)  [Orabug: 39362018]
- KVM: Don't block+unblock when halt-polling is successful (Sean Christopherson)  [Orabug: 39362018]

[5.15.0-320.202.8.2]
- xfrm: esp: ipv4: fix up flags setting (Greg Kroah-Hartman)  [Orabug: 39344515]  {CVE-2026-43284}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen)  [Orabug: 39344515]  {CVE-2026-43284}

[5.15.0-320.202.8.1]
- x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia)  [Orabug: 39327141]  {CVE-2025-54518}

[5.15.0-320.202.8]
- iommu/arm-smmu-v3: Handle zeroed A4-2C HTTU override settings (Joao Martins)  [Orabug: 39186453]
- iommu: Move IOMMU_DIRTY_NO_CLEAR define (Shameer Kolothum)  [Orabug: 39186453]
- iommu/arm-smmu-v3: Enable HTTU for stage1 with io-pgtable mapping (Kunkun Jiang)  [Orabug: 39186453]
- iommu/arm-smmu-v3: Add support for dirty tracking in domain alloc (Joao Martins)  [Orabug: 39186453]
- iommu/io-pgtable-arm: Add read_and_clear_dirty() support (Shameer Kolothum)  [Orabug: 39186453]
- iommu/arm-smmu-v3: Add feature detection for HTTU (Jean-Philippe Brucker)  [Orabug: 39186453]

[5.15.0-320.202.7]
- crypto: algif_aead - Fix minimum RX size check for decryption (Herbert Xu)  [Orabug: 39250686]
- crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Herbert Xu)  [Orabug: 39250686]
- crypto: authencesn - Fix src offset when decrypting in-place (Herbert Xu)  [Orabug: 39250686]
- crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Herbert Xu)  [Orabug: 39250686]
- crypto: authenc - use memcpy_sglist() instead of null skcipher (Eric Biggers)  [Orabug: 39250686]
- crypto: algif_aead - snapshot IV for async AEAD requests (Douya Le)  [Orabug: 39250686]
- crypto: algif_aead - Revert to operating out-of-place (Herbert Xu)  [Orabug: 39250686]  {CVE-2026-31431}
- crypto: algif_aead - use memcpy_sglist() instead of null skcipher (Eric Biggers)  [Orabug: 39250686]
- crypto: scatterwalk - Backport memcpy_sglist() (Eric Biggers)  [Orabug: 39250686]
- uek-rpm: Enable FWCTL for aarch64 (Dave Kleikamp)  [Orabug: 39252913]

[5.15.0-320.202.6]
- Revert "rds: Drop rds conn in connect worker if not in down state." (Vijayendra Suman) [Orabug: 39277795]
- uek-rpm: CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON should be set (Dave Kleikamp) [Orabug: 39109819]
- iommu/vt-d: Disallow dirty tracking if incoherent page walk (Lu Baolu) [Orabug: 39109819]
- iommu/vt-d: Set variable intel_dirty_ops to static (Kunwu Chan) [Orabug: 39109819]
- iommu/vt-d: Access/Dirty bit support for SS domains (Joao Martins) [Orabug: 39109819]
- iommu/amd: reduce GA Log overflow printk noise (Alejandro Jimenez) [Orabug: 39209012]
- iommu/amd: add reschedule points to GA Log draining (Alejandro Jimenez) [Orabug: 39209012]
- iommu/amd: Rework GAInt handling in overflow case (Joao Martins) [Orabug: 39209012]
- iommu/amd: Disable GAInt while GA Log is processed (Joao Martins) [Orabug: 39209012]
- iommu/amd: Move helpers to update IOMMU features to amd_iommu.h (Alejandro Jimenez) [Orabug: 39209012]
- iommu/amd: Increase GA Log buffer size to 8192 entries (Joao Martins) [Orabug: 39209012]
- x86/CPU: Fix FPDSS on Zen1 (Borislav Petkov) [Orabug: 39241228,39273722] {CVE-2026-31628}

[5.15.0-320.202.5]
- Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" (Manivannan Sadhasivam) [Orabug: 39187371]
- net/handshake: duplicate handshake cancellations leak socket (Scott Mayhew) [Orabug: 38847720] {CVE-2025-68775}
- ext4: show 'shutdown' hint when ext4 is forced to shutdown (Baokun Li) [Orabug: 39002346]
- ext4: show 'emergency_ro' when EXT4_FLAGS_EMERGENCY_RO is set (Baokun Li) [Orabug: 39002346]
- ext4: correct behavior under errors=remount-ro mode (Baokun Li) [Orabug: 39002346]
- ext4: add more ext4_emergency_state() checks around sb_rdonly() (Baokun Li) [Orabug: 39002346]
- ext4: add ext4_emergency_state() helper function (Baokun Li) [Orabug: 39002346]
- ext4: add EXT4_FLAGS_EMERGENCY_RO bit (Baokun Li) [Orabug: 39002346]
- ext4: convert EXT4_FLAGS_* defines to enum (Baokun Li) [Orabug: 39002346]
- ext4: make ext4_forced_shutdown() take struct super_block (Jan Kara) [Orabug: 39002346]
- ipv6: use RCU in ip6_xmit() (Eric Dumazet) [Orabug: 38649062] {CVE-2025-40135}
- memfd: move MFD_MF_KEEP_UE_MAPPED flag to higher bit (William Roche) [Orabug: 39109773]
- scsi: qla2xxx: Sanitize payload size to prevent member overflow (Jiasheng Jiang) [Orabug: 38930868] {CVE-2026-23059}
- bpf: Fix reference count leak in bpf_prog_test_run_xdp() (Tetsuo Handa) [Orabug: 38887702] {CVE-2026-22994}
- nfsd: check that server is running in unlock_filesystem (Olga Kornievskaia) [Orabug: 38887682] {CVE-2026-22989}
- net/mlx5e: TC, delete flows only for existing peers (Mark Bloch) [Orabug: 38970398] {CVE-2026-23173}
- net/handshake: restore destructor on submit failure (Caoping) [Orabug: 38887601] {CVE-2025-71148}
- scsi: qla2xxx: Fix improper freeing of purex item (Zilin Guan) [Orabug: 38798929] {CVE-2025-68741}
- bnxt_en: Fix XDP_TX path (Michael Chan) [Orabug: 38847684] {CVE-2025-68770}
- perf/x86/amd: Check event before enable to avoid GPF (George Kennedy) [Orabug: 38847849] {CVE-2025-68798}
- scsi: smartpqi: Fix device resources accessed after device removal (Mike Mcgowen) [Orabug: 38798848] {CVE-2025-68371}
- KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (Omar Sandoval) [Orabug: 38773579] {CVE-2025-68259}
- x86/fpu: Ensure XFD state on signal delivery (Chang S. Bae) [Orabug: 38773165] {CVE-2025-68171}
- virtio-net: fix received length check in big packets (Bui Quang Minh) [Orabug: 38737152] {CVE-2025-40292}
- ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (Yunhui Cui) [Orabug: 38641284] {CVE-2025-38113}
- EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller (Qiuxu Zhuo) [Orabug: 38649173] {CVE-2025-40157}
- sunrpc: fix null pointer dereference on zero-length checksum (Lei Lu) [Orabug: 38649042] {CVE-2025-40129}
- cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() (Jinjie Ruan) [Orabug: 38641275] {CVE-2024-53230}
- cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() (Jinjie Ruan) [Orabug: 38641272] {CVE-2024-53231}
- vhost: vringh: Fix copy_to_iter return value check (Michael S. Tsirkin) [Orabug: 38592117] {CVE-2025-40056}
- crypto: qat - flush misc workqueue during device shutdown (Giovanni Cabiddu) [Orabug: 38401717] {CVE-2025-39721}
- vhost: vringh: Modify the return value check (Zhang Jiao) [Orabug: 38592085] {CVE-2025-40051}
- virtio-net: fix recursived rtnl_lock() during probe() (Zigit Zo) [Orabug: 38324330] {CVE-2025-38551}
- gve: prevent ethtool ops after shutdown (Jordan Rhee) [Orabug: 38401492] {CVE-2025-38735}
- KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (Sean Christopherson) [Orabug: 38254140] {CVE-2025-38455}
- net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (Oleksij Rempel) [Orabug: 38253871] {CVE-2025-38385}
- net/mlx5e: Disable MACsec offload for uplink representor profile (Carolina Jubran) [Orabug: 38094809] {CVE-2025-38020}
- dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (Shuai Xue) [Orabug: 38094794] {CVE-2025-38015}
- net/mlx5: Fix ECVF vports unload on shutdown flow (Amir Tzin) [Orabug: 38152903] {CVE-2025-38109}
- bnxt: properly flush XDP redirect lists (Yan Zhai) [Orabug: 38175054] {CVE-2025-38246}
- eth: bnxt: fix missing ring index trim on error path (Jakub Kicinski) [Orabug: 37937451] {CVE-2025-37873}
- net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() (Henry Martin) [Orabug: 37938078] {CVE-2025-37888}
- nfsd: fix possible badness in FREE_STATEID (Olga Kornievskaia) [Orabug: 37989102] {CVE-2024-50043}
- devlink: fix xa_alloc_cyclic() error handling (Michal Swiatkowski) [Orabug: 37828271] {CVE-2025-22017}

[5.15.0-320.202.4]
- xsk: fix an integer overflow in xp_create_and_assign_umem() (Gavrilov Ilia) [Orabug: 37828202] {CVE-2025-21997}
- RDMA/mlx5: Fix the recovery flow of the UMR QP (Yishai Hadas) [Orabug: 37766306] {CVE-2025-21892}
- misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors (Vimal Agrawal) [Orabug: 37678552] {CVE-2024-58078}
- net/sched: cls_api: fix error handling causing NULL dereference (Pierre Riteau) [Orabug: 37702083] {CVE-2025-21857}
- bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (Shigeru Yoshida) [Orabug: 37766220] {CVE-2025-21867}
- net: xdp: Disallow attaching device-bound programs in generic mode (Toke Høiland-Jørgensen) [Orabug: 37650238] {CVE-2025-21808}
- iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (Qasim Ijaz) [Orabug: 37649891] {CVE-2025-21724}
- xfrm: delete intermediate secpath entry in packet offload mode (Alexandre Cassen) [Orabug: 37649866] {CVE-2025-21720}
- gpiolib: Fix crash on error in gpiochip_get_ngpios() (Andy Shevchenko) [Orabug: 37650154] {CVE-2025-21783}
- scsi: mpi3mr: Fix possible crash when setting up bsg fails (Guixin Liu) [Orabug: 37649886] {CVE-2025-21723}
- uek-rpm: Enable CONFIG_NET_VRF in container kernel (Boris Ostrovsky) [Orabug: 38932706]
- Documentation: add documentation for MFD_MF_KEEP_UE_MAPPED (William Roche) [Orabug: 38768951]
- selftests/mm: test userspace MFR for HugeTLB hugepage (William Roche) [Orabug: 38768951]
- mm: memfd/hugetlb: introduce memfd-based userspace MFR policy (William Roche) [Orabug: 38768951]

[5.15.0-320.202.3]
- net/mlx5: poll mlx5 eq during irq migration (Praveen Kumar Kannoju) [Orabug: 38915250]
- ipv4: icmp: convert to dev_net_rcu() (Eric Dumazet) [Orabug: 38807392]
- ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (Eric Dumazet) [Orabug: 38807392]
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE (Sean Christopherson) [Orabug: 39151165,39159089] {CVE-2026-23401}

[5.15.0-320.202.2]
- vfio: Adapt to upstream uAPI for VFIO_PRECOPY_INFO_REINIT (Maciej S. Szmigiero) [Orabug: 39121645]
- vfio/mlx5: Add REINIT support to VFIO_MIG_GET_PRECOPY_INFO (Yishai Hadas) [Orabug: 39065603]
- vfio/mlx5: consider inflight SAVE during PRE_COPY (Yishai Hadas) [Orabug: 39065603]
- net/mlx5: Add IFC bits for migration state (Yishai Hadas) [Orabug: 39065603]
- vfio: Adapt drivers to use the core helper vfio_check_precopy_ioctl (Yishai Hadas) [Orabug: 39065603]
- vfio: Add support for VFIO_DEVICE_FEATURE_MIG_PRECOPY_INFOv2 (Yishai Hadas) [Orabug: 39065603]
- vfio: Define uAPI for re-init initial bytes during the PRE_COPY phase (Yishai Hadas) [Orabug: 39065603]
- scsi: target: core: Add emulation for REPORT IDENTIFYING INFORMATION (Gulam Mohamed) [Orabug: 39098783]
- scsi: core: Fix error handling for scsi_alloc_sdev() (Junxiao Bi) [Orabug: 38976650]
- scsi: core: Fix refcount leak for tagset_refcnt (Junxiao Bi) [Orabug: 38976650,39130775] {CVE-2026-23296}
- scsi: core: Move two statements (Bart Van Assche) [Orabug: 38976650]
- mm, percpu: do not consider sleepable allocations atomic (Michal Hocko) [Orabug: 39100354]
- uek: kabi: Only do size allignment check on kabi_use when in 64 bit environment. (Yifei Liu) [Orabug: 39089315]