Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2026:0928-1
Release Date:	2026-03-18T13:32:23Z
Rating:	important
References:	bsc#1238917 bsc#1246166 bsc#1247177 bsc#1255049 bsc#1255163 bsc#1255401 bsc#1256645 bsc#1257231 bsc#1257735 bsc#1257749 bsc#1257790 bsc#1258340 bsc#1258395 bsc#1258849 jsc#PED-12836
Cross-References:	CVE-2023-53794 CVE-2023-53827 CVE-2025-21738 CVE-2025-38224 CVE-2025-38375 CVE-2025-68285 CVE-2025-71066 CVE-2026-23004 CVE-2026-23060 CVE-2026-23074 CVE-2026-23089 CVE-2026-23191 CVE-2026-23204
CVSS scores:	CVE-2023-53794 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2023-53794 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-53827 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2023-53827 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21738 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21738 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21738 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38224 ( SUSE ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-38224 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-38375 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38375 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38375 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-68285 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-68285 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-71066 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-23004 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-23004 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-23060 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-23060 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-23060 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-23074 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-23074 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-23089 ( SUSE ): 5.2 CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-23089 ( SUSE ): 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2026-23089 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-23191 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-23191 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2026-23191 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-23204 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-23204 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.3 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2

An update that solves 13 vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security issues

The following security issues were fixed:

CVE-2023-53794: cifs: fix session state check in reconnect to avoid use-after-free issue (bsc#1255163).
CVE-2023-53827: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} (bsc#1255049).
CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (bsc#1238917).
CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177).
CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401).
CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645).
CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231).
CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735).
CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749).
CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (bsc#1257790).
CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395).
CVE-2026-23204: net: add skb_header_pointer_careful() helper (bsc#1258340).

The following non security issues were fixed:

apparmor: fix differential encoding verification (bsc#1258849).
apparmor: Fix double free of ns_name in aa_replace_profiles() (bsc#1258849).
apparmor: fix memory leak in verify_header (bsc#1258849).
apparmor: fix missing bounds check on DEFAULT table in verify_dfa() (bsc#1258849).
apparmor: fix side-effect bug in match_char() macro usage (bsc#1258849).
apparmor: fix unprivileged local user can do privileged policy management (bsc#1258849).
apparmor: fix: limit the number of levels of policy namespaces (bsc#1258849).
apparmor: replace recursive profile removal with iterative approach (bsc#1258849).
apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1258849).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.3
zypper in -t patch SUSE-2026-928=1
SUSE Linux Enterprise Micro 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-928=1
SUSE Linux Enterprise Micro for Rancher 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-928=1

Package List:

openSUSE Leap 15.3 (noarch nosrc)
- kernel-docs-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (noarch)
- kernel-source-5.3.18-150300.59.238.1
- kernel-source-vanilla-5.3.18-150300.59.238.1
- kernel-macros-5.3.18-150300.59.238.1
- kernel-devel-5.3.18-150300.59.238.1
- kernel-docs-html-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64)
- ocfs2-kmp-default-5.3.18-150300.59.238.1
- dlm-kmp-default-5.3.18-150300.59.238.1
- kernel-obs-build-5.3.18-150300.59.238.1
- kernel-obs-build-debugsource-5.3.18-150300.59.238.1
- kernel-default-optional-debuginfo-5.3.18-150300.59.238.1
- kernel-obs-qa-5.3.18-150300.59.238.1
- gfs2-kmp-default-5.3.18-150300.59.238.1
- reiserfs-kmp-default-debuginfo-5.3.18-150300.59.238.1
- reiserfs-kmp-default-5.3.18-150300.59.238.1
- kernel-default-devel-debuginfo-5.3.18-150300.59.238.1
- kernel-default-debuginfo-5.3.18-150300.59.238.1
- cluster-md-kmp-default-5.3.18-150300.59.238.1
- ocfs2-kmp-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-base-rebuild-5.3.18-150300.59.238.1.150300.18.142.1
- kernel-default-livepatch-5.3.18-150300.59.238.1
- kernel-default-extra-debuginfo-5.3.18-150300.59.238.1
- kselftests-kmp-default-5.3.18-150300.59.238.1
- dlm-kmp-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
- kernel-default-extra-5.3.18-150300.59.238.1
- kselftests-kmp-default-debuginfo-5.3.18-150300.59.238.1
- gfs2-kmp-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-optional-5.3.18-150300.59.238.1
- cluster-md-kmp-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-debugsource-5.3.18-150300.59.238.1
- kernel-default-devel-5.3.18-150300.59.238.1
- kernel-syms-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 nosrc)
- kernel-default-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (ppc64le s390x x86_64)
- kernel-default-livepatch-devel-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (nosrc ppc64le x86_64)
- kernel-kvmsmall-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (ppc64le x86_64)
- kernel-kvmsmall-debugsource-5.3.18-150300.59.238.1
- kernel-kvmsmall-devel-debuginfo-5.3.18-150300.59.238.1
- kernel-kvmsmall-debuginfo-5.3.18-150300.59.238.1
- kernel-kvmsmall-devel-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64 x86_64)
- ocfs2-kmp-preempt-5.3.18-150300.59.238.1
- dlm-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- reiserfs-kmp-preempt-5.3.18-150300.59.238.1
- kernel-preempt-devel-5.3.18-150300.59.238.1
- kernel-preempt-extra-5.3.18-150300.59.238.1
- cluster-md-kmp-preempt-5.3.18-150300.59.238.1
- kernel-preempt-optional-5.3.18-150300.59.238.1
- kernel-preempt-optional-debuginfo-5.3.18-150300.59.238.1
- ocfs2-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- kernel-preempt-extra-debuginfo-5.3.18-150300.59.238.1
- kernel-preempt-devel-debuginfo-5.3.18-150300.59.238.1
- gfs2-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- kernel-preempt-debugsource-5.3.18-150300.59.238.1
- reiserfs-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- kselftests-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- kernel-preempt-debuginfo-5.3.18-150300.59.238.1
- cluster-md-kmp-preempt-debuginfo-5.3.18-150300.59.238.1
- dlm-kmp-preempt-5.3.18-150300.59.238.1
- gfs2-kmp-preempt-5.3.18-150300.59.238.1
- kselftests-kmp-preempt-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64 nosrc x86_64)
- kernel-preempt-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (nosrc s390x)
- kernel-zfcpdump-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (s390x)
- kernel-zfcpdump-debuginfo-5.3.18-150300.59.238.1
- kernel-zfcpdump-debugsource-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (nosrc)
- dtb-aarch64-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64)
- dtb-altera-5.3.18-150300.59.238.1
- reiserfs-kmp-64kb-5.3.18-150300.59.238.1
- gfs2-kmp-64kb-5.3.18-150300.59.238.1
- kselftests-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
- dtb-socionext-5.3.18-150300.59.238.1
- ocfs2-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
- dtb-marvell-5.3.18-150300.59.238.1
- dtb-xilinx-5.3.18-150300.59.238.1
- dtb-cavium-5.3.18-150300.59.238.1
- dtb-zte-5.3.18-150300.59.238.1
- kernel-64kb-extra-5.3.18-150300.59.238.1
- dtb-sprd-5.3.18-150300.59.238.1
- gfs2-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
- kselftests-kmp-64kb-5.3.18-150300.59.238.1
- kernel-64kb-optional-5.3.18-150300.59.238.1
- dtb-broadcom-5.3.18-150300.59.238.1
- dtb-apm-5.3.18-150300.59.238.1
- kernel-64kb-debuginfo-5.3.18-150300.59.238.1
- kernel-64kb-devel-debuginfo-5.3.18-150300.59.238.1
- ocfs2-kmp-64kb-5.3.18-150300.59.238.1
- dtb-amd-5.3.18-150300.59.238.1
- dtb-mediatek-5.3.18-150300.59.238.1
- dtb-nvidia-5.3.18-150300.59.238.1
- kernel-64kb-optional-debuginfo-5.3.18-150300.59.238.1
- dtb-hisilicon-5.3.18-150300.59.238.1
- cluster-md-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
- cluster-md-kmp-64kb-5.3.18-150300.59.238.1
- dlm-kmp-64kb-5.3.18-150300.59.238.1
- kernel-64kb-extra-debuginfo-5.3.18-150300.59.238.1
- dtb-amlogic-5.3.18-150300.59.238.1
- kernel-64kb-devel-5.3.18-150300.59.238.1
- dtb-exynos-5.3.18-150300.59.238.1
- dtb-freescale-5.3.18-150300.59.238.1
- dtb-renesas-5.3.18-150300.59.238.1
- dlm-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
- dtb-arm-5.3.18-150300.59.238.1
- dtb-allwinner-5.3.18-150300.59.238.1
- kernel-64kb-debugsource-5.3.18-150300.59.238.1
- dtb-qcom-5.3.18-150300.59.238.1
- dtb-lg-5.3.18-150300.59.238.1
- dtb-al-5.3.18-150300.59.238.1
- dtb-rockchip-5.3.18-150300.59.238.1
- reiserfs-kmp-64kb-debuginfo-5.3.18-150300.59.238.1
openSUSE Leap 15.3 (aarch64 nosrc)
- kernel-64kb-5.3.18-150300.59.238.1
SUSE Linux Enterprise Micro 5.2 (aarch64 nosrc s390x x86_64)
- kernel-default-5.3.18-150300.59.238.1
SUSE Linux Enterprise Micro 5.2 (aarch64 x86_64)
- kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
- kernel-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-debugsource-5.3.18-150300.59.238.1
SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 nosrc s390x x86_64)
- kernel-default-5.3.18-150300.59.238.1
SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 x86_64)
- kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1
SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
- kernel-default-debuginfo-5.3.18-150300.59.238.1
- kernel-default-debugsource-5.3.18-150300.59.238.1

Security update for the Linux Kernel

Description:

Special Instructions and Notes:

Patch Instructions:

Package List:

References: