Red Hat Product Errata RHSA-2026:19568 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19568 - Security Advisory Overview Updated Packages Synopsis Important: kernel security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741) kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116) kernel: libceph: prevent potential out-of-bounds reads in handle_auth_done() (CVE-2026-22984) kernel: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990) kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state (CVE-2026-23136) kernel: net/sched: cls_u32: use skb_header_pointer_careful() (CVE-2026-23204) kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270) kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401) kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402) kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532) kernel: usbip: validate number_of_packets in usbip_pack_ret_submit() (CVE-2026-31607) kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163) kernel: RDMA/umem: Fix double dma_buf_unpin in failure path (CVE-2026-43128) kernel: "Dirty Frag" is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-43284) kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-46300) kernel: Read root-owned files as an unprivileged user (CVE-2026-46333) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.8 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2394648 - CVE-2025-39766 kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit BZ - 2425046 - CVE-2025-68741 kernel: scsi: qla2xxx: Fix improper freeing of purex item BZ - 2429602 - CVE-2025-71116 kernel: libceph: make decode_pool() more resilient against corrupted osdmaps BZ - 2432389 - CVE-2026-22984 kernel: libceph: prevent potential out-of-bounds reads in handle_auth_done() BZ - 2432400 - CVE-2026-22990 kernel: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() BZ - 2439852 - CVE-2026-23136 kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state BZ - 2439931 - CVE-2026-23204 kernel: net/sched: cls_u32: use skb_header_pointer_careful() BZ - 2448745 - CVE-2026-23270 kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation BZ - 2453803 - CVE-2026-23401 kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling BZ - 2454844 - CVE-2026-31402 kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache BZ - 2461107 - CVE-2026-31532 kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() BZ - 2461521 - CVE-2026-31607 kernel: usbip: validate number_of_packets in usbip_pack_ret_submit() BZ - 2467059 - CVE-2026-43163 kernel: md/bitmap: fix GPF in write_page caused by resize race BZ - 2467144 - CVE-2026-43128 kernel: RDMA/umem: Fix double dma_buf_unpin in failure path BZ - 2467771 - CVE-2026-43284 kernel: "Dirty Frag" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel BZ - 2477015 - CVE-2026-46300 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel BZ - 2477802 - CVE-2026-46333 kernel: Read root-owned files as an unprivileged user CVEs CVE-2025-39766 CVE-2025-68741 CVE-2025-71116 CVE-2026-22984 CVE-2026-22990 CVE-2026-23136 CVE-2026-23204 CVE-2026-23270 CVE-2026-23401 CVE-2026-31402 CVE-2026-31532 CVE-2026-31607 CVE-2026-43128 CVE-2026-43163 CVE-2026-43284 CVE-2026-46300 CVE-2026-46333 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM kernel-5.14.0-687.10.1.el9_8.src.rpm SHA-256: 1a6718beb0db4cd7fa109e2e1a161ff2e510c09b212c03dd0f22ebc0347fd196 x86_64 kernel-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 69869a930c6391a3f2aba3cdd0ba528463641026480f56ee3fb0f28e7ffe97d7 kernel-abi-stablelists-5.14.0-687.10.1.el9_8.noarch.rpm SHA-256: 2c4c4812c7b4ff1ab96dd2450740f081759bb22c74f9511a31629112f1a5790e kernel-core-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 7d2115e8c3c17d755db17ce25f4a2b54a350df00d02935f4a218c763873ab32d kernel-debug-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 04aadce5972c44edf92970996d68f8a772bcb8238000c49910d44a3186dcbda9 kernel-debug-core-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: b9bfce26ee3e57cfd4db65dab8c59ae8fe2dc56fb2407eba03ef3aec64bf0409 kernel-debug-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 831a3fb6302d9b2fb7ce0f7ff5e0675db30384d9a137cd90be45b6f5cf78a418 kernel-debug-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 831a3fb6302d9b2fb7ce0f7ff5e0675db30384d9a137cd90be45b6f5cf78a418 kernel-debug-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 831a3fb6302d9b2fb7ce0f7ff5e0675db30384d9a137cd90be45b6f5cf78a418 kernel-debug-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 831a3fb6302d9b2fb7ce0f7ff5e0675db30384d9a137cd90be45b6f5cf78a418 kernel-debug-devel-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 16b1bfd60000c54cf1975e8b3ef16a0c200d1c071b36120509118539bdf349c0 kernel-debug-devel-matched-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 57ac45ff84d27f118120ce4f7173c681814bf553064b8d5f347b703f78266df8 kernel-debug-modules-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: e50f83f8a4161209795ad5012e380af8e0e58089bfd46c5bb7759b93cc00dca9 kernel-debug-modules-core-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 3b3d2f9c0204e2f6514507791288e0c37ac8375e009c1c273f3c23da70698e7d kernel-debug-modules-extra-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: 7aac512f2b18790093fe24806bc663148907cbfe0cfd5076e4f41bd8522650a4 kernel-debug-uki-virt-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: ace148ee290e015283e7357a42615b8c64f151fa5d61963da6ae01c26adcbcdf kernel-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: eb8b4c3ad75c6eaa55ecbed18f9d91c112845e728d156df15a2c9a74586cdbba kernel-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: eb8b4c3ad75c6eaa55ecbed18f9d91c112845e728d156df15a2c9a74586cdbba kernel-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: eb8b4c3ad75c6eaa55ecbed18f9d91c112845e728d156df15a2c9a74586cdbba kernel-debuginfo-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: eb8b4c3ad75c6eaa55ecbed18f9d91c112845e728d156df15a2c9a74586cdbba kernel-debuginfo-common-x86_64-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: ff91711e01a74d86df816b66d64e4ef5ccfdb8951e6a6d13195aaa614938dad4 kernel-debuginfo-common-x86_64-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: ff91711e01a74d86df816b66d64e4ef5ccfdb8951e6a6d13195aaa614938dad4 kernel-debuginfo-common-x86_64-5.14.0-687.10.1.el9_8.x86_64.rpm SHA-256: ff91711e01a74d86df816b66d64e4ef5ccfdb8951e6a6d13195aaa614938dad4 kernel-debuginfo-common-x86_64-5.