kernel-4.18.0-553.104.1.el8_10

エラータID: AXSA:2026-172:10

Release date: 
Friday, February 13, 2026 - 14:28
Subject: 
kernel-4.18.0-553.104.1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: vsock/vmci: Clear the vmci transport packet properly when initializing it (CVE-2025-38403)
* kernel: net: use dst_dev_rcu() in sk_setup_caps() (CVE-2025-40170)
* kernel: ipv6: use RCU in ip6_xmit() (CVE-2025-40135)
* kernel: ipv6: use RCU in ip6_output() (CVE-2025-40158)
* kernel: Linux kernel ALSA USB audio driver: Buffer overflow leading to information disclosure and denial of service (CVE-2025-40269)
* kernel: ext4: fix use-after-free in ext4_orphan_cleanup (CVE-2022-50673)
* kernel: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (CVE-2025-68349)
* kernel: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (CVE-2026-22998)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-50673
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace: dump_stack_lvl+0x73/0x9f print_report+0x25d/0x759 kasan_report+0xc0/0x120 __asan_load8+0x99/0x140 __list_add_valid+0x28/0x1a0 ext4_orphan_cleanup+0x564/0x9d0 [ext4] __ext4_fill_super+0x48e2/0x5300 [ext4] ext4_fill_super+0x19f/0x3a0 [ext4] get_tree_bdev+0x27b/0x450 ext4_get_tree+0x19/0x30 [ext4] vfs_get_tree+0x49/0x150 path_mount+0xaae/0x1350 do_mount+0xe2/0x110 __x64_sys_mount+0xf0/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup --- loop1: assume last_orphan is 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan) ext4_truncate --> return 0 ext4_inode_attach_jinode --> return -ENOMEM iput(inode) --> free inode<12> --- loop2: last_orphan is still 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan); // use inode<12> and trigger UAF To solve this issue, we need to propagate the return value of ext4_inode_attach_jinode() appropriately.
CVE-2025-38403
In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure.
CVE-2025-40135
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF.
CVE-2025-40158
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2().
CVE-2025-40170
In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu().
CVE-2025-40269
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].
CVE-2025-68349
In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout.
CVE-2026-22998
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

Solution: 

Update packages.

CVEs: 
CVE-2022-50673
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace: dump_stack_lvl+0x73/0x9f print_report+0x25d/0x759 kasan_report+0xc0/0x120 __asan_load8+0x99/0x140 __list_add_valid+0x28/0x1a0 ext4_orphan_cleanup+0x564/0x9d0 [ext4] __ext4_fill_super+0x48e2/0x5300 [ext4] ext4_fill_super+0x19f/0x3a0 [ext4] get_tree_bdev+0x27b/0x450 ext4_get_tree+0x19/0x30 [ext4] vfs_get_tree+0x49/0x150 path_mount+0xaae/0x1350 do_mount+0xe2/0x110 __x64_sys_mount+0xf0/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup --- loop1: assume last_orphan is 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan) ext4_truncate --> return 0 ext4_inode_attach_jinode --> return -ENOMEM iput(inode) --> free inode<12> --- loop2: last_orphan is still 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan); // use inode<12> and trigger UAF To solve this issue, we need to propagate the return value of ext4_inode_attach_jinode() appropriately.
CVE-2025-38403
In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure.
CVE-2025-40135
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF.
CVE-2025-40158
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2().
CVE-2025-40170
In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu().
CVE-2025-40269
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].
CVE-2025-68349
In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout.
CVE-2026-22998
In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated
Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-4.18.0-553.104.1.el8_10.src.rpm
    MD5: 7448fc40cd583a15818e0f243c853383
    SHA-256: 8932156b7afccb9fb5d9492c61f232109558d0fc136f7aa7bb375135d234d4d2
    Size: 132.34 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: dd35d0e8e9120b4536388bd29c12f7e9
    SHA-256: ee01f767fc2c1397d0f6d5e2578426c80a19619770898397eda777eaf50db0e6
    Size: 11.28 MB
  2. kernel-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: af60c240a93912bcf930fb80d25a9662
    SHA-256: 253f6358069c9b66edc24e35b4895defa452f089e847814b6e46a8dcafd06430
    Size: 10.55 MB
  3. kernel-abi-stablelists-4.18.0-553.104.1.el8_10.noarch.rpm
    MD5: a061eddc5d4df6815e7585cc6cec80ad
    SHA-256: 174836b4aca245b1efd053b5cef4ac8d21a30ce3a5d7ef3e16256ff132e4e0ab
    Size: 10.57 MB
  4. kernel-core-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 29395849da5269bc0ff0751e9b248c58
    SHA-256: 63cfb5331e5ae9857ec50c2bdcbb3dae47aba3eed45356fa025d1d2e11c2ddad
    Size: 43.59 MB
  5. kernel-cross-headers-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: deffdc99b64619dc5603d032e7283c3f
    SHA-256: 462585e60b24f70eb4c7df0bece7703fe9b508945a8fa3724c4c114b4b4f9c10
    Size: 15.90 MB
  6. kernel-debug-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 853f507385bdc7055bfa0de5d08f7122
    SHA-256: 681b2ce9179a58e7f952f0ee944348952426f9113babbffb7c78c69875cae461
    Size: 10.55 MB
  7. kernel-debug-core-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 86b2ee36258f49bd8c22673966489f7b
    SHA-256: 6527aa7500841dbaff974a108308b83c627a4043cdc678421b7c9686842867ac
    Size: 72.89 MB
  8. kernel-debug-devel-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 9b2bd957311287d090d76956be945908
    SHA-256: 3b8cb2354cf5330de79dd5113d018ceffa6fb51fc0963289c64815b468199f49
    Size: 24.39 MB
  9. kernel-debug-modules-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 9d8232a7ae52c10e60479789b360a1be
    SHA-256: 4677ef6513b3dd00b7dfbbe5074148267863581d6e77691721b42df54a6b8515
    Size: 65.99 MB
  10. kernel-debug-modules-extra-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 7bc8cd8edbe1ef1701fcde67b225feb1
    SHA-256: 4b12cf5d8162c2ef80949582fd6a45815092079f031814fde56caa5bbbaf97ce
    Size: 11.93 MB
  11. kernel-devel-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: aa603d3e63b6313c070e45ab7bf85e9b
    SHA-256: 2bc6e85f4d8bd82ab1a7ea6d230644eda99bee67f41999235d542f7a5aca4085
    Size: 24.19 MB
  12. kernel-doc-4.18.0-553.104.1.el8_10.noarch.rpm
    MD5: 01e80299009eb68dcc9f663dd930faae
    SHA-256: 72096ba6a102c9940ca32a7855a81240b25572421032133b1f61c69c9fc5a2da
    Size: 28.42 MB
  13. kernel-headers-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: d55277c71b961823585a19d50fbca396
    SHA-256: 7417d58dfbbb884b0e0e6da4781a9f08a3b424745d2a2dfe8441991dd39d982b
    Size: 11.90 MB
  14. kernel-modules-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: b6c9d5684dc925eda566f6de8b6b17f2
    SHA-256: 37a1a409f31d1e1e1771f5f59685be76d281aaa37fd5e42a968fa06a75bf27e9
    Size: 36.38 MB
  15. kernel-modules-extra-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 6f4a3ae61e007c944fa4b96d5f74e5cd
    SHA-256: 28ae0e8fb5c179dc2d33af38aafc763e54e0043a7acc674ebe53501caacec446
    Size: 11.24 MB
  16. kernel-tools-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 1ab243586866ee7dcc3a8f593f35bf0f
    SHA-256: 6f08b5d63ab89064b30d270093bb6fb295f558faf51295f4bf839004ac04093c
    Size: 10.77 MB
  17. kernel-tools-libs-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 98f767246dde25662c0e87028a250fa1
    SHA-256: b8eae796a10c488cfba91e73d7d10b9bf0750a287fd822070c9c6b079fd04b24
    Size: 10.56 MB
  18. kernel-tools-libs-devel-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: c2e3bd5e53abcda4c59dadc60fcecea0
    SHA-256: 4c2bdc7003b412297b6d59554ab04048b5784c077258b353caf7d9beff8772c7
    Size: 10.55 MB
  19. perf-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 74986d8e8a7a6867b5697aacf0751474
    SHA-256: ee626cfcfea96b04bdc48b5a4d3cefd58e1a79a79bf47a72674951ad1cb79ae0
    Size: 12.87 MB
  20. python3-perf-4.18.0-553.104.1.el8_10.x86_64.rpm
    MD5: 4c269f918877ae1bfd8bcaed7203455c
    SHA-256: a1c3ef1ebd67cbf932e5b40d2b517f98b04800c064bd9fb000a6859ece4a8bc0
    Size: 10.68 MB