ELSA-2026-50388

ELSA-2026-50388 - Unbreakable Enterprise kernel security update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-10

Description


[5.4.17-2136.357.3.2]
- locking/rtmutex: Skip remove_waiter() when waiter is not enqueued (Davidlohr Bueso) [Orabug: 39706958]
- rtmutex: Use waiter::task instead of current in remove_waiter() (Keenan Dong) [Orabug: 39706958] {CVE-2026-43499}

[5.4.17-2136.357.3.1]
- KVM: x86: Fix shadow paging use-after-free due to unexpected role (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/MMU: Recursively zap nested TDP SPs when zapping last/only parent (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Move flush logic from mmu_page_zap_pte() to FNAME(invlpg) (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page() (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Passing up the error state of mmu_alloc_shadow_roots() (Like Xu) [Orabug: 39673892]
- KVM: MMU: load PDPTRs outside mmu_lock (Paolo Bonzini) [Orabug: 39673892]
- KVM: x86/mmu: Check PDPTRs before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Derive shadow MMU page role from parent (David Matlack) [Orabug: 39673892]
- KVM: X86: Remove useless code to set role.gpte_is_8_bytes when role.direct (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Synchronize the shadow pagetable before link it (Lai Jiangshan) [Orabug: 39673892]
- KVM: X86: Fix missed remote tlb flush in rmap_write_protect() (Lai Jiangshan) [Orabug: 39673892]
- KVM: x86/mmu: Refactor shadow walk in __direct_map() to reduce indentation (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stop passing 'direct' to mmu_alloc_root() (David Matlack) [Orabug: 39673892]
- KVM: x86/mmu: Use a bool for direct (David Matlack) [Orabug: 39673892]
- kvm: mmu: Replace unsigned with unsigned int for PTE access (Ben Gardon) [Orabug: 39673892]
- KVM: x86/mmu: Ensure MMU pages are available when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate pae_root and lm_root pages in dedicated helper (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Allocate the lm_root before allocating PAE roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Capture 'mmu' in a local variable when allocating roots (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Alloc page for PDPTEs when shadowing 32-bit NPT with 64-bit (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Stash 'kvm' in a local variable in kvm_mmu_free_roots() (Sean Christopherson) [Orabug: 39673892]
- KVM: x86/mmu: Add a helper to consolidate root sp allocation (Sean Christopherson) [Orabug: 39673892]
- net/sched: act_pedit: fix action bind logic (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: free pedit keys on bail from offset check (Pedro Tammela) [Orabug: 39680880]
- net/sched: fix pedit partial COW leading to page cache corruption (Rajat Gupta) [Orabug: 39680880] {CVE-2026-46331}
- net/sched: act_pedit: Parse L3 Header for L4 offset (Max Tottenham) [Orabug: 39680880]
- net/sched: act_pedit: rate limit datapath messages (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: check static offsets a priori (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: remove extra check for key type (Pedro Tammela) [Orabug: 39680880]
- net/sched: simplify tcf_pedit_act (Pedro Tammela) [Orabug: 39680880]
- net/sched: transition act_pedit to rcu and percpu stats (Pedro Tammela) [Orabug: 39680880]
- net/sched: act_pedit: use NLA_POLICY for parsing 'ex' keys (Pedro Tammela) [Orabug: 39680880]

[5.4.17-2136.357.3]
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers (Minh Nguyen) [Orabug: 39619389] {CVE-2026-52943}

[5.4.17-2136.357.2]
- net: fix fanout UAF in packet_release() via NETDEV_UP race (Yochai Eisenrich) [Orabug: 39250953] {CVE-2026-31504}
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams) [Orabug: 39429802]
- x86/kaslr: Reduce KASLR entropy on most x86 systems (Balbir Singh) [Orabug: 39429802]
- net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null (Cezar Bulinaru) [Orabug: 39526882] {CVE-2022-50073}
- arm64: errata: Mitigate TLBI errata on various Arm CPUs (Mark Rutland) [Orabug: 39548666] {CVE-2025-10263}
- arm64: tlb: Add ARM64_WORKAROUND_REPEAT_TLBI_SYNC (Mark Rutland) [Orabug: 39548666]
- ARM: uek: Disable CONFIG_QCOM_FALKOR_ERRATUM_1003 (Boris Ostrovsky) [Orabug: 39548666]
- arm64: tlb: allow XZR argument to TLBI ops (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Premium definitions (Mark Rutland) [Orabug: 39548666]
- arm64: cputype: Add C1-Ultra definitions (Mark Rutland) [Orabug: 39548666]
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (Eric Dumazet) [Orabug: 39300926] {CVE-2026-43037}

[5.4.17-2136.357.1]
- batman-adv: hold claim backbone gateways by reference (Haoze Xie) [Orabug: 39262375] {CVE-2026-31657}
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() (Michael Bommarito) [Orabug: 39446045]
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf (Michael Bommarito) [Orabug: 39446045]
- rds: Drop rds conn in connect worker if not in down state. (Rohit Nair) [Orabug: 39152239]

[5.4.17-2136.356.4.1]
- smb: client: reject userspace cifs.spnego descriptions (Asim Viladi Oglu Manizada) [Orabug: 39463669] {CVE-2026-46243}

[5.4.17-2136.356.4]
- tun: free page on build_skb failure in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]
- tap: free page on error paths in tap_get_user_xdp() (Weiming Shi) [Orabug: 39429147]
- tun: free page on short-frame rejection in tun_xdp_one() (Weiming Shi) [Orabug: 39429147]

[5.4.17-2136.356.3]
- ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39384275,39391459] {CVE-2026-46333}
- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug: 39368828,39441326] {CVE-2026-43503,CVE-2026-46300}
- net: skbuff: preserve shared-frag marker during coalescing (William Bowling) [Orabug: 39368828] {CVE-2026-46300}

[5.4.17-2136.356.2]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167617,39368718] {CVE-2026-31402}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (Maurizio Lombardi) [Orabug: 38985173,39368732] {CVE-2026-23216}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (Maurizio Lombardi) [Orabug: 38970455,39368774] {CVE-2026-23193}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39334580,39367147] {CVE-2026-43284}
- x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39218897] {CVE-2025-54518}

[5.4.17-2136.356.1]
- arm64/kvm: Include linux/random.h in trng.c (Siddh Raman Pant) [Orabug: 39327096]
- i2c: designware: Disable TX_EMPTY irq while waiting for block length byte (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: Handle invalid SMBus block data response length value (Tam Nguyen) [Orabug: 39174662]
- i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low (Yann Sionneau) [Orabug: 39174662]


Related CVEs


CVE-2026-43499

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 7 (x86_64) kernel-uek-5.4.17-2136.357.3.2.el7uek.src.rpmcef8b883d9c3e856304b1e6d311285e5835afa509ded3a609cfd612555ae2a33-ol7_x86_64_UEKR6_ELS
kernel-uek-5.4.17-2136.357.3.2.el7uek.x86_64.rpmf8eae2c6abfc7ca9ff593f6f00ff9882a6e6e05843db7453f1d8dbedc24fbdf2-ol7_x86_64_UEKR6_ELS
kernel-uek-container-5.4.17-2136.357.3.2.el7uek.x86_64.rpmb99d3f12b1045fdda3b3c55f20cd5377b573b8460e70f01ca98e04b6787836eb-ol7_x86_64_UEKR6_ELS
kernel-uek-container-debug-5.4.17-2136.357.3.2.el7uek.x86_64.rpma3a22dddfd4de6f79fe33e9ccdad1f5ba82eaafbb10680bd575c1b07ead0b8d9-ol7_x86_64_UEKR6_ELS
kernel-uek-debug-5.4.17-2136.357.3.2.el7uek.x86_64.rpmda57287ce96ead13585e6810b97071614ea665bae4935d412008763cc2a6c696-ol7_x86_64_UEKR6_ELS
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el7uek.x86_64.rpm3f47b2867d51edebd629edec5ca6fee6481ba15e911dcfcb6e78399b05c70d5e-ol7_x86_64_UEKR6_ELS
kernel-uek-devel-5.4.17-2136.357.3.2.el7uek.x86_64.rpm7a6e1bbfdfca5c7b08c21ff96137c7eafdd098435c253e4d8872d4f2ab76e705-ol7_x86_64_UEKR6_ELS
kernel-uek-doc-5.4.17-2136.357.3.2.el7uek.noarch.rpm24cdd7fbbcaf7967be66a3e41dc215b83c3baa447ca8c5c62da8060ce05eee3d-ol7_x86_64_UEKR6_ELS
kernel-uek-tools-5.4.17-2136.357.3.2.el7uek.x86_64.rpm43f182f1e7316e44e2afd158490a3c96dff8bef40eff5e729b4037afd75fa1b7-ol7_x86_64_UEKR6_ELS
Oracle Linux 8 (aarch64) kernel-uek-5.4.17-2136.357.3.2.el8uek.src.rpm7108c1bb3366baf8d10bdc7e62b4c6a5b6ad0431a6c70a7b4cc41f7daf7f66ca-ol8_aarch64_baseos_latest
kernel-uek-5.4.17-2136.357.3.2.el8uek.src.rpm7108c1bb3366baf8d10bdc7e62b4c6a5b6ad0431a6c70a7b4cc41f7daf7f66ca-ol8_aarch64_u10_baseos_patch
kernel-uek-5.4.17-2136.357.3.2.el8uek.aarch64.rpmef616045984c1b12a8db7c3b1358affed81f08f8f893f8ef0e16bf77b1cb3bb6-ol8_aarch64_baseos_latest
kernel-uek-5.4.17-2136.357.3.2.el8uek.aarch64.rpmef616045984c1b12a8db7c3b1358affed81f08f8f893f8ef0e16bf77b1cb3bb6-ol8_aarch64_u10_baseos_patch
kernel-uek-debug-5.4.17-2136.357.3.2.el8uek.aarch64.rpm942d09ecdc14a1578522786e3788d6ae49845f63aa1981c28ecbd86c9ad52b20-ol8_aarch64_baseos_latest
kernel-uek-debug-5.4.17-2136.357.3.2.el8uek.aarch64.rpm942d09ecdc14a1578522786e3788d6ae49845f63aa1981c28ecbd86c9ad52b20-ol8_aarch64_u10_baseos_patch
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm4cda59c45cbebf1083b6a0e563b72ee5b848ebefa6787d470b3e6c2c8e1d8172-ol8_aarch64_baseos_latest
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm4cda59c45cbebf1083b6a0e563b72ee5b848ebefa6787d470b3e6c2c8e1d8172-ol8_aarch64_u10_baseos_patch
kernel-uek-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm0c281f2a46f1bdb8fe7df5599cc18821da94c76ac76de2dde1358c4674045394-ol8_aarch64_baseos_latest
kernel-uek-devel-5.4.17-2136.357.3.2.el8uek.aarch64.rpm0c281f2a46f1bdb8fe7df5599cc18821da94c76ac76de2dde1358c4674045394-ol8_aarch64_u10_baseos_patch
kernel-uek-doc-5.4.17-2136.357.3.2.el8uek.noarch.rpmefeb89271015cb310f42949f90075ced58e763fc9adbae5914c80309fafc1665-ol8_aarch64_baseos_latest
kernel-uek-doc-5.4.17-2136.357.3.2.el8uek.noarch.rpmefeb89271015cb310f42949f90075ced58e763fc9adbae5914c80309fafc1665-ol8_aarch64_u10_baseos_patch
Oracle Linux 8 (x86_64) kernel-uek-5.4.17-2136.357.3.2.el8uek.src.rpm7108c1bb3366baf8d10bdc7e62b4c6a5b6ad0431a6c70a7b4cc41f7daf7f66ca-ol8_x86_64_UEKR6
kernel-uek-5.4.17-2136.357.3.2.el8uek.x86_64.rpmffaab8f51beab9ebf95728ec0a3de5fb91a9d7bf404d5db5330122177f716118-ol8_x86_64_UEKR6
kernel-uek-container-5.4.17-2136.357.3.2.el8uek.x86_64.rpme414a427d1511bd10b7594e8ec90d5fa5937c8fe6d6e51c28ef59832045e41ec-ol8_x86_64_UEKR6
kernel-uek-container-debug-5.4.17-2136.357.3.2.el8uek.x86_64.rpm42ef72b2d96c8380f6eb5ff29bb366db00c373337de2699d4a32ad7220b405c0-ol8_x86_64_UEKR6
kernel-uek-debug-5.4.17-2136.357.3.2.el8uek.x86_64.rpm223ca1450f8558b2ef339241b7ba8de9e12e4cac557c6458595b55c83f91a1cf-ol8_x86_64_UEKR6
kernel-uek-debug-devel-5.4.17-2136.357.3.2.el8uek.x86_64.rpmc491d6740b606503a5547b39b29654d8b2f1dafb4464a1461456645619cdf748-ol8_x86_64_UEKR6
kernel-uek-devel-5.4.17-2136.357.3.2.el8uek.x86_64.rpmfac493ebecb248a29258e730e1de4128df51c375fe9c4f720675131152edf439-ol8_x86_64_UEKR6
kernel-uek-doc-5.4.17-2136.357.3.2.el8uek.noarch.rpmefeb89271015cb310f42949f90075ced58e763fc9adbae5914c80309fafc1665-ol8_x86_64_UEKR6



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete