SUSE-SU-2026:0928-1: important: Security update for the Linux Kernel
SLE-UPDATES
null at suse.de
Wed Mar 18 20:41:35 UTC 2026
# Security update for the Linux Kernel
Announcement ID: SUSE-SU-2026:0928-1
Release Date: 2026-03-18T13:32:23Z
Rating: important
References:
* bsc#1238917
* bsc#1246166
* bsc#1247177
* bsc#1255049
* bsc#1255163
* bsc#1255401
* bsc#1256645
* bsc#1257231
* bsc#1257735
* bsc#1257749
* bsc#1257790
* bsc#1258340
* bsc#1258395
* bsc#1258849
* jsc#PED-12836
Cross-References:
* CVE-2023-53794
* CVE-2023-53827
* CVE-2025-21738
* CVE-2025-38224
* CVE-2025-38375
* CVE-2025-68285
* CVE-2025-71066
* CVE-2026-23004
* CVE-2026-23060
* CVE-2026-23074
* CVE-2026-23089
* CVE-2026-23191
* CVE-2026-23204
CVSS scores:
* CVE-2023-53794 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2023-53794 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-53827 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2023-53827 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-21738 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-21738 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-21738 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38224 ( SUSE ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-38224 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
* CVE-2025-38375 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-38375 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-38375 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-68285 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-68285 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-71066 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23004 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23004 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23060 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23060 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-23060 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-23074 ( SUSE ): 7.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23074 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23089 ( SUSE ): 5.2
CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23089 ( SUSE ): 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-23089 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23191 ( SUSE ): 6.9
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-23191 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-23191 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-23204 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-23204 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* openSUSE Leap 15.3
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Micro for Rancher 5.2
An update that solves 13 vulnerabilities, contains one feature and has one
security fix can now be installed.
## Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security
issues
The following security issues were fixed:
* CVE-2023-53794: cifs: fix session state check in reconnect to avoid use-
after-free issue (bsc#1255163).
* CVE-2023-53827: Bluetooth: L2CAP: Fix use-after-free in
l2cap_disconnect_{req,rsp} (bsc#1255049).
* CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the
allocated buffer (bsc#1238917).
* CVE-2025-38375: virtio-net: ensure the received length does not exceed
allocated size (bsc#1247177).
* CVE-2025-68285: libceph: fix potential use-after-free in
have_mon_and_osd_map() (bsc#1255401).
* CVE-2025-71066: net/sched: ets: Always remove class from active list before
deleting in ets_qdisc_change (bsc#1256645).
* CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and
rt_del_uncached_list() (bsc#1257231).
* CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to
match ESP/ESN spec (bsc#1257735).
* CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc
(bsc#1257749).
* CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
(bsc#1257790).
* CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395).
* CVE-2026-23204: net: add skb_header_pointer_careful() helper (bsc#1258340).
The following non security issues were fixed:
* apparmor: fix differential encoding verification (bsc#1258849).
* apparmor: Fix double free of ns_name in aa_replace_profiles() (bsc#1258849).
* apparmor: fix memory leak in verify_header (bsc#1258849).
* apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
(bsc#1258849).
* apparmor: fix side-effect bug in match_char() macro usage (bsc#1258849).
* apparmor: fix unprivileged local user can do privileged policy management
(bsc#1258849).
* apparmor: fix: limit the number of levels of policy namespaces
(bsc#1258849).
* apparmor: replace recursive profile removal with iterative approach
(bsc#1258849).
* apparmor: validate DFA start states are in bounds in unpack_pdb
(bsc#1258849).
## Special Instructions and Notes:
* Please reboot the system after installing this update.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.3
zypper in -t patch SUSE-2026-928=1
* SUSE Linux Enterprise Micro 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-928=1
* SUSE Linux Enterprise Micro for Rancher 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-928=1
## Package List:
* openSUSE Leap 15.3 (noarch nosrc)
* kernel-docs-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (noarch)
* kernel-source-5.3.18-150300.59.238.1
* kernel-source-vanilla-5.3.18-150300.59.238.1
* kernel-macros-5.3.18-150300.59.238.1
* kernel-devel-5.3.18-150300.59.238.1
* kernel-docs-html-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64)
* ocfs2-kmp-default-5.3.18-150300.59.238.1
* dlm-kmp-default-5.3.18-150300.59.238.1
* kernel-obs-build-5.3.18-150300.59.238.1
* kernel-obs-build-debugsource-5.3.18-150300.59.238.1
* kernel-default-optional-debuginfo-5.3.18-150300.59.238.1
* kernel-obs-qa-5.3.18-150300.59.238.1
* gfs2-kmp-default-5.3.18-150300.59.238.1
* reiserfs-kmp-default-debuginfo-5.3.18-150300.59.238.1
* reiserfs-kmp-default-5.3.18-150300.59.238.1
* kernel-default-devel-debuginfo-5.3.18-150300.59.238.1
* kernel-default-debuginfo-5.3.18-150300.59.238.1
* cluster-md-kmp-default-5.3.18-150300.59.238.1
* ocfs2-kmp-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-base-rebuild-5.3.18-150300.59.238.1.150300.18.142.1
* kernel-default-livepatch-5.3.18-150300.59.238.1
* kernel-default-extra-debuginfo-5.3.18-150300.59.238.1
* kselftests-kmp-default-5.3.18-150300.59.238.1
* dlm-kmp-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
* kernel-default-extra-5.3.18-150300.59.238.1
* kselftests-kmp-default-debuginfo-5.3.18-150300.59.238.1
* gfs2-kmp-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-optional-5.3.18-150300.59.238.1
* cluster-md-kmp-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-debugsource-5.3.18-150300.59.238.1
* kernel-default-devel-5.3.18-150300.59.238.1
* kernel-syms-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 nosrc)
* kernel-default-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (ppc64le s390x x86_64)
* kernel-default-livepatch-devel-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (nosrc ppc64le x86_64)
* kernel-kvmsmall-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (ppc64le x86_64)
* kernel-kvmsmall-debugsource-5.3.18-150300.59.238.1
* kernel-kvmsmall-devel-debuginfo-5.3.18-150300.59.238.1
* kernel-kvmsmall-debuginfo-5.3.18-150300.59.238.1
* kernel-kvmsmall-devel-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64 x86_64)
* ocfs2-kmp-preempt-5.3.18-150300.59.238.1
* dlm-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* reiserfs-kmp-preempt-5.3.18-150300.59.238.1
* kernel-preempt-devel-5.3.18-150300.59.238.1
* kernel-preempt-extra-5.3.18-150300.59.238.1
* cluster-md-kmp-preempt-5.3.18-150300.59.238.1
* kernel-preempt-optional-5.3.18-150300.59.238.1
* kernel-preempt-optional-debuginfo-5.3.18-150300.59.238.1
* ocfs2-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* kernel-preempt-extra-debuginfo-5.3.18-150300.59.238.1
* kernel-preempt-devel-debuginfo-5.3.18-150300.59.238.1
* gfs2-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* kernel-preempt-debugsource-5.3.18-150300.59.238.1
* reiserfs-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* kselftests-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* kernel-preempt-debuginfo-5.3.18-150300.59.238.1
* cluster-md-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
* dlm-kmp-preempt-5.3.18-150300.59.238.1
* gfs2-kmp-preempt-5.3.18-150300.59.238.1
* kselftests-kmp-preempt-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64 nosrc x86_64)
* kernel-preempt-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (nosrc s390x)
* kernel-zfcpdump-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (s390x)
* kernel-zfcpdump-debuginfo-5.3.18-150300.59.238.1
* kernel-zfcpdump-debugsource-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (nosrc)
* dtb-aarch64-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64)
* dtb-altera-5.3.18-150300.59.238.1
* reiserfs-kmp-64kb-5.3.18-150300.59.238.1
* gfs2-kmp-64kb-5.3.18-150300.59.238.1
* kselftests-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* dtb-socionext-5.3.18-150300.59.238.1
* ocfs2-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* dtb-marvell-5.3.18-150300.59.238.1
* dtb-xilinx-5.3.18-150300.59.238.1
* dtb-cavium-5.3.18-150300.59.238.1
* dtb-zte-5.3.18-150300.59.238.1
* kernel-64kb-extra-5.3.18-150300.59.238.1
* dtb-sprd-5.3.18-150300.59.238.1
* gfs2-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* kselftests-kmp-64kb-5.3.18-150300.59.238.1
* kernel-64kb-optional-5.3.18-150300.59.238.1
* dtb-broadcom-5.3.18-150300.59.238.1
* dtb-apm-5.3.18-150300.59.238.1
* kernel-64kb-debuginfo-5.3.18-150300.59.238.1
* kernel-64kb-devel-debuginfo-5.3.18-150300.59.238.1
* ocfs2-kmp-64kb-5.3.18-150300.59.238.1
* dtb-amd-5.3.18-150300.59.238.1
* dtb-mediatek-5.3.18-150300.59.238.1
* dtb-nvidia-5.3.18-150300.59.238.1
* kernel-64kb-optional-debuginfo-5.3.18-150300.59.238.1
* dtb-hisilicon-5.3.18-150300.59.238.1
* cluster-md-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* cluster-md-kmp-64kb-5.3.18-150300.59.238.1
* dlm-kmp-64kb-5.3.18-150300.59.238.1
* kernel-64kb-extra-debuginfo-5.3.18-150300.59.238.1
* dtb-amlogic-5.3.18-150300.59.238.1
* kernel-64kb-devel-5.3.18-150300.59.238.1
* dtb-exynos-5.3.18-150300.59.238.1
* dtb-freescale-5.3.18-150300.59.238.1
* dtb-renesas-5.3.18-150300.59.238.1
* dlm-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* dtb-arm-5.3.18-150300.59.238.1
* dtb-allwinner-5.3.18-150300.59.238.1
* kernel-64kb-debugsource-5.3.18-150300.59.238.1
* dtb-qcom-5.3.18-150300.59.238.1
* dtb-lg-5.3.18-150300.59.238.1
* dtb-al-5.3.18-150300.59.238.1
* dtb-rockchip-5.3.18-150300.59.238.1
* reiserfs-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
* openSUSE Leap 15.3 (aarch64 nosrc)
* kernel-64kb-5.3.18-150300.59.238.1
* SUSE Linux Enterprise Micro 5.2 (aarch64 nosrc s390x x86_64)
* kernel-default-5.3.18-150300.59.238.1
* SUSE Linux Enterprise Micro 5.2 (aarch64 x86_64)
* kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
* SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
* kernel-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-debugsource-5.3.18-150300.59.238.1
* SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 nosrc s390x x86_64)
* kernel-default-5.3.18-150300.59.238.1
* SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 x86_64)
* kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
* SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
* kernel-default-debuginfo-5.3.18-150300.59.238.1
* kernel-default-debugsource-5.3.18-150300.59.238.1
## References:
* https://www.suse.com/security/cve/CVE-2023-53794.html
* https://www.suse.com/security/cve/CVE-2023-53827.html
* https://www.suse.com/security/cve/CVE-2025-21738.html
* https://www.suse.com/security/cve/CVE-2025-38224.html
* https://www.suse.com/security/cve/CVE-2025-38375.html
* https://www.suse.com/security/cve/CVE-2025-68285.html
* https://www.suse.com/security/cve/CVE-2025-71066.html
* https://www.suse.com/security/cve/CVE-2026-23004.html
* https://www.suse.com/security/cve/CVE-2026-23060.html
* https://www.suse.com/security/cve/CVE-2026-23074.html
* https://www.suse.com/security/cve/CVE-2026-23089.html
* https://www.suse.com/security/cve/CVE-2026-23191.html
* https://www.suse.com/security/cve/CVE-2026-23204.html
* https://bugzilla.suse.com/show_bug.cgi?id=1238917
* https://bugzilla.suse.com/show_bug.cgi?id=1246166
* https://bugzilla.suse.com/show_bug.cgi?id=1247177
* https://bugzilla.suse.com/show_bug.cgi?id=1255049
* https://bugzilla.suse.com/show_bug.cgi?id=1255163
* https://bugzilla.suse.com/show_bug.cgi?id=1255401
* https://bugzilla.suse.com/show_bug.cgi?id=1256645
* https://bugzilla.suse.com/show_bug.cgi?id=1257231
* https://bugzilla.suse.com/show_bug.cgi?id=1257735
* https://bugzilla.suse.com/show_bug.cgi?id=1257749
* https://bugzilla.suse.com/show_bug.cgi?id=1257790
* https://bugzilla.suse.com/show_bug.cgi?id=1258340
* https://bugzilla.suse.com/show_bug.cgi?id=1258395
* https://bugzilla.suse.com/show_bug.cgi?id=1258849
* https://jira.suse.com/browse/PED-12836
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260318/65882c20/attachment.htm>
More information about the sle-updates
mailing list