kernel-4.18.0-553.139.1.el8_10

エラータID: AXSA:2026-1250:48

Release date: 
Monday, July 13, 2026 - 18:58
Subject: 
kernel-4.18.0-553.139.1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (CVE-2026-23216)
* kernel: gfs2: Fix use-after-free in iomap inline data write path (CVE-2026-45984)
* kernel: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CVE-2026-46189)

Bug Fix(es) and Enhancement(s):

* [RHEL 8.10.z] Add an .sbat section to the x86 kernel (JIRA:RHEL-182788)
* Incorrect message "NFS: Server wrote zero bytes" is shown in the logs (JIRA:RHEL-147665)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-23216
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().
CVE-2026-45984
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
CVE-2026-46189
In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-4.18.0-553.139.1.el8_10.src.rpm
    MD5: ecbdf3fd2fb604c656d3393fb9cd500f
    SHA-256: befaa93017ee28bdc778dd7a833c6f90798de1d65d5716d67b074ba39fa3a05f
    Size: 132.40 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: efb472774fa1d50cd1b88322ade66ec5
    SHA-256: 27d2799c0c972fcaf3889daa61bd0da7dcce17c8db889c59779851fbbb2c6b4b
    Size: 11.32 MB
  2. kernel-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: af25647b618b6c20c49929d4e1881864
    SHA-256: 8fae3e959425484e76c99e85c8df8813eea66da09ecac3cc5ec30a0f598038fa
    Size: 10.59 MB
  3. kernel-abi-stablelists-4.18.0-553.139.1.el8_10.noarch.rpm
    MD5: 2cda1b2d1bc4979200d13d49d4768031
    SHA-256: acc97ae237381058017f0f49ea1cb398340027c8d05f72709c2e65ecf8b996d8
    Size: 10.61 MB
  4. kernel-core-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 862e52a1b56bdf1132cf0731f6bc1cdf
    SHA-256: a1270c20bbf98722b9b535dd6d9c069e41f0dd46ce0e827caf86103fd97176db
    Size: 43.65 MB
  5. kernel-cross-headers-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 1f1bfa1bb20db1a2168e00a250df01bb
    SHA-256: 4d61d21c95af5a79d0f59ea6a1426b4d403f20d7b0587401b92d683d7a269015
    Size: 15.94 MB
  6. kernel-debug-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: deedf919cccb9336aeaac1dbf21642da
    SHA-256: 035fd55c9ce9a513c0454320356d3586344f1a9b7bd42d73283154d02b345855
    Size: 10.59 MB
  7. kernel-debug-core-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 12a8007b026016fbb95b17d8e929eb11
    SHA-256: c29c8483132e34386dd3f3afe132075197b4c82fede7786e719fc1aeca39b635
    Size: 72.95 MB
  8. kernel-debug-devel-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: fb2a91effaf102a885597532c2b57a16
    SHA-256: fcf19e71a113b7d3973b024cd54791515eadbecdb4819cd38af581afd6a7d262
    Size: 24.44 MB
  9. kernel-debug-modules-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 23415e88272429720ff8e86377acceeb
    SHA-256: 41363bf3d5bdc4dff4172af558e9360d1403f9169bd5cd844c4b89d342cffb37
    Size: 66.07 MB
  10. kernel-debug-modules-extra-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 36b7939772877ce6747db6f23a43344d
    SHA-256: df1cf14e54d0c047ab9d83aa4720dc4d78a298301fd955bf6eb4cccb31bae9d9
    Size: 11.97 MB
  11. kernel-devel-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 56db9d096dcc9a1b0b57b119d292e4cd
    SHA-256: 49d275ffc4ef02e519bc5697de5f9b0716ac869c11f467e043aada7e40375468
    Size: 24.24 MB
  12. kernel-doc-4.18.0-553.139.1.el8_10.noarch.rpm
    MD5: 5c32a00342212ae825b20e9a9021afc1
    SHA-256: 2b146397d804e2e6bd709455558272318d06cce86fedaf7602b3db10ca6047e7
    Size: 28.46 MB
  13. kernel-headers-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: d41e5641ef7f86f5a8c4a17080b413d2
    SHA-256: e84fc5fb922bac841fba021a27ac8498c85601f48161be1c6dff55325e086157
    Size: 11.95 MB
  14. kernel-modules-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 7f272a20ead45265890f986ed54b5338
    SHA-256: 4d24b5e0543dbf80f74216269b55911c0364747d9b75faf356639ab1fc4dfc29
    Size: 36.45 MB
  15. kernel-modules-extra-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 205a8da9e9c96da32f77c946c4d73c20
    SHA-256: 9e6bd0d876b6c890852fce35d34eb9c075e5949974850726a3f8dc5381c385a5
    Size: 11.28 MB
  16. kernel-tools-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: ee232d2c338bc47d00ec0ec4305ef57c
    SHA-256: a422d002448b141c65a2a1b08faf81ad71e3565f4f7b1328b4efea8ac291ba96
    Size: 10.81 MB
  17. kernel-tools-libs-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 5ee4b53fb1a3e767528fa774e764cc05
    SHA-256: df48f290accf5131dde15908d9a878b8147f2b8f660c5bdcacbaf1d1ceee6b7b
    Size: 10.60 MB
  18. kernel-tools-libs-devel-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 8cf4d28ecacb75640a81b0e2afe4f7a0
    SHA-256: 966346761dd32a259eb0c224b8c23b3d5842e35bccb05fd9d1b50346f2e3bed1
    Size: 10.60 MB
  19. perf-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 93205a83aecd497f476cd3811f928d3c
    SHA-256: caa694ca80eb865443a054657c33a54a56f4e3f22e697a7050afc956d55e4f8d
    Size: 12.91 MB
  20. python3-perf-4.18.0-553.139.1.el8_10.x86_64.rpm
    MD5: 60722294994d03eae9bafdee2e8f86cc
    SHA-256: d3c9eecae9c2638c0a057494e65b5e33374201eb0ce30b6355d5cfb84af7fa06
    Size: 10.72 MB