-
Thu Jun 04 2026 EL Errata <el-errata_ww@oracle.com> [4.18.0-553.129.1.el8_10.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985772]
-
Tue Jun 02 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.129.1.el8_10]
- smb: client: reject userspace cifs.spnego descriptions (Paulo Alcantara) [RHEL-178938] {CVE-2026-46243}
-
Fri May 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.128.1.el8_10]
- smb: client: fix OOB reads parsing symlink error response (Paulo Alcantara) [RHEL-171465] {CVE-2026-31613}
- geneve: Suppress list corruption splat in geneve_destroy_tunnels(). (Antoine Tenart) [RHEL-168961]
- geneve: Fix use-after-free in geneve_find_dev(). (Antoine Tenart) [RHEL-168961] {CVE-2025-21858}
- netfilter: nf_tables: release flowtable after rcu grace period on error (Florian Westphal) [RHEL-160514] {CVE-2026-23392}
-
Wed May 27 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.127.1.el8_10]
- smc: Fix use-after-free in tcp_write_timer_handler(). (Steve Best) [RHEL-167084] {CVE-2023-53781}
- nbd: defer config unlock in nbd_genl_connect (CKI Backport Bot) [RHEL-166939] {CVE-2025-68366}
- libceph: prevent potential out-of-bounds reads in handle_auth_done() (CKI Backport Bot) [RHEL-143892] {CVE-2026-22984}
- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CKI Backport Bot) [RHEL-143874] {CVE-2026-22990}
-
Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.126.1.el8_10]
- crypto: af_alg - Work around empty control messages without MSG_MORE (Thomas Huth) [RHEL-175772]
- crypto: af_alg - Fix regression on empty requests (Thomas Huth) [RHEL-175772]
- crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() (Thomas Huth) [RHEL-175772]
- crypto: af_alg - remove redundant initializations of sk_family (Thomas Huth) [RHEL-175772]
- crypto: af_alg - Use bh_lock_sock in sk_destruct (Thomas Huth) [RHEL-175772]
- crypto: algif_aead - fix uninitialized ctx->init (Thomas Huth) [RHEL-175772]
- crypto: algif_aead - Only wake up when ctx->more is zero (Thomas Huth) [RHEL-175772]
- crypto: algif_aead - Do not set MAY_BACKLOG on the async path (Thomas Huth) [RHEL-175772]
- crypto: null - Remove VLA usage of skcipher (Thomas Huth) [RHEL-175772]
- smb: client: validate dacloffset before building DACL pointers (Paulo Alcantara) [RHEL-172815]
- smb: client: use kzalloc to zero-initialize security descriptor buffer (Paulo Alcantara) [RHEL-172815]
- smb: client: scope end_of_dacl to CIFS_DEBUG2 use in parse_dacl (Paulo Alcantara) [RHEL-172815]
- smb: client: require a full NFS mode SID before reading mode bits (Paulo Alcantara) [RHEL-172815]
- smb: client: validate the whole DACL before rewriting it in cifsacl (Paulo Alcantara) [RHEL-172815] {CVE-2026-31709}
- smb: client: Return a status code only as a constant in sid_to_id() (Paulo Alcantara) [RHEL-172815]
- cifs: add validation check for the fields in smb_aces (Paulo Alcantara) [RHEL-172815]
- cifs: fix incorrect validation for num_aces field of smb_acl (Paulo Alcantara) [RHEL-172815]
- smb: common: change the data type of num_aces to le16 (Paulo Alcantara) [RHEL-172815]
- netfilter: xt_tcpmss: check remaining length before reading optlen (CKI Backport Bot) [RHEL-174212] {CVE-2026-43190}
- md/bitmap: fix GPF in write_page caused by resize race (CKI Backport Bot) [RHEL-174088] {CVE-2026-43163}
- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174045] {CVE-2026-43158}
- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174045] {CVE-2026-43158}
- can: raw: fix ro->uniq use-after-free in raw_rcv() (Davide Caratti) [RHEL-170753] {CVE-2026-31532}
- can: af_can: export can_sock_destruct() (Davide Caratti) [RHEL-170753] {CVE-2026-31532}
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (CKI Backport Bot) [RHEL-172734] {CVE-2026-43051}
- netfilter: nf_conntrack_helper: pass helper to expect cleanup (CKI Backport Bot) [RHEL-172614] {CVE-2026-43027}
- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172566] {CVE-2026-43020}
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (David Marlin) [RHEL-165057] {CVE-2026-31408}
- Bluetooth: SCO: Fix UAF on sco_sock_timeout (David Marlin) [RHEL-165057] {CVE-2026-31408}
- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (David Marlin) [RHEL-165057] {CVE-2026-31408}
- Bluetooth: Init sk_peer_* on bt_sock_alloc (David Marlin) [RHEL-165057] {CVE-2026-31408}
- Bluetooth: Consolidate code around sk_alloc into a helper function (David Marlin) [RHEL-165057] {CVE-2026-31408}
- netfilter: ip6t_eui64: reject invalid MAC header for all packets (CKI Backport Bot) [RHEL-171149] {CVE-2026-31685}
- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171132] {CVE-2026-31684}
- smb: client: fix mid_q_entry memleak leak with per-mid locking (Paulo Alcantara) [RHEL-164032]
- smb: client: smb: client: eliminate mid_flags field (Paulo Alcantara) [RHEL-164032]
- smb: client: add mid_counter_lock to protect the mid counter counter (Paulo Alcantara) [RHEL-164032]
- smb: client: rename server mid_lock to mid_queue_lock (Paulo Alcantara) [RHEL-164032]
- smb3: fix lock ordering potential deadlock in cifs_sync_mid_result (Paulo Alcantara) [RHEL-164032]
- smb: client: remove redundant lstrp update in negotiate protocol (Paulo Alcantara) [RHEL-164032]
- smb: client: fix race condition in negotiate timeout by using more precise timing (Paulo Alcantara) [RHEL-164032]
- smb: client: fix first command failure during re-negotiation (Paulo Alcantara) [RHEL-164032]
- smb: client: fix hang in wait_for_response() for negproto (Paulo Alcantara) [RHEL-164032]
- ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr (Bruno Meneguele) [RHEL-166886] {CVE-2025-68183}
- selftests/bpf: Test outer map update operations in syscall program (Viktor Malik) [RHEL-152219]
- selftests/bpf: Add test cases for inner map (Viktor Malik) [RHEL-152219]
- bpf: prepare for more bpf syscall to be used from kernel and user space. (Viktor Malik) [RHEL-152219]
- bpf: Optimize the free of inner map (Viktor Malik) [RHEL-152219]
- bpf: Defer the free of inner map when necessary (Viktor Malik) [RHEL-152219]
- bpf: Set need_defer as false when clearing fd array during map free (Viktor Malik) [RHEL-152219]
- bpf: Add map and need_defer parameters to .map_fd_put_ptr() (Viktor Malik) [RHEL-152219]
- bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers (Viktor Malik) [RHEL-152219]
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (CKI Backport Bot) [RHEL-166981] {CVE-2026-23455}
- ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events (CKI Backport Bot) [RHEL-166960] {CVE-2025-68347}
- RDMA/umad: Reject negative data_len in ib_umad_write (Kamal Heib) [RHEL-156872] {CVE-2026-23243}
- Bluetooth: mgmt: remove NULL check in add_ext_adv_params_complete() (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix memory leak in set_ssp_complete (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() (David Marlin) [RHEL-122890]
- Bluetooth: ISO: don't try to remove CIG if there are bound CIS left (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Don't double print name in add/remove adv_monitor (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() (David Marlin) [RHEL-122890]
- Bluetooth: hci_event: Fix Invalid wait context (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Fix use HCI_OP_LE_READ_BUFFER_SIZE_V2 (David Marlin) [RHEL-122890]
- Bluetooth: hci_conn: Fix crash on hci_create_cis_sync (David Marlin) [RHEL-122890]
- Bluetooth: hci_conn: Fix not restoring ISO buffer count on disconnect (David Marlin) [RHEL-122890]
- Bluetooth: Fix HCIGETDEVINFO regression (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Fix hci_read_buffer_size_sync (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor() (David Marlin) [RHEL-122890]
- Bluetooth: hci_conn: Fix updating ISO QoS PHY (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix possible UAFs (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: hci_sync: fix set_local_name race condition (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue (David Marlin) [RHEL-122890]
- Bluetooth: Fix race condition in hci_cmd_sync_clear (David Marlin) [RHEL-122890]
- Bluetooth: hci_sock: Prevent race in socket write iter and sock bind (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix sparse errors (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix possible crash on mgmt_index_removed (David Marlin) [RHEL-122890]
- Bluetooth: Add initial implementation of CIS connections (David Marlin) [RHEL-122890]
- Bluetooth: hci_core: Fix possible buffer overflow (David Marlin) [RHEL-122890]
- Bluetooth: Keep MGMT pending queue ordered FIFO (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Remove unused mgmt_pending_find_data (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (David Marlin) [RHEL-122890]
- Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor (David Marlin) [RHEL-122890]
- Bluetooth: MGMT: Fix possible deadlocks (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: mgmt: remove NULL check in mgmt_set_connectable_complete() (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: hci_sync: Refactor remove Adv Monitor (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: hci_sync: Refactor add Adv Monitor (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: msft: Move code snippet to correct location (David Marlin) [RHEL-122890]
- Bluetooth: msft: Clear tracked devices on resume (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: mgmt: Add MGMT Adv Monitor Device Found/Lost events (David Marlin) [RHEL-122890] {CVE-2025-39981}
- Bluetooth: msft: Handle MSFT Monitor Device Event (David Marlin) [RHEL-122890] {CVE-2025-39981}
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (CKI Backport Bot) [RHEL-157322] {CVE-2026-23270}
- libceph: make decode_pool() more resilient against corrupted osdmaps (CKI Backport Bot) [RHEL-142093] {CVE-2025-71116}
-
Mon May 18 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.125.1.el8_10]
- net: skbuff: propagate shared-frag marker through frag-transfer helpers (Sabrina Dubroca) [RHEL-176090] {CVE-2026-46300}
- net: skbuff: preserve shared-frag marker during coalescing (Sabrina Dubroca) [RHEL-176090] {CVE-2026-46300}
- ptrace: slightly saner 'get_dumpable()' logic (Rafael Aquini) [RHEL-176445] {CVE-2026-46333}
-
Mon May 11 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.124.1.el8_10]
- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174586] {CVE-2026-43284}
-
Mon May 04 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.123.1.el8_10]
- crypto: algif_aead - snapshot IV for async AEAD requests (Herbert Xu) [RHEL-172187]
- crypto: algif_aead - Fix minimum RX size check for decryption (Herbert Xu) [RHEL-172187]
- crypto: authencesn - reject short ahash digests during instance creation (Herbert Xu) [RHEL-172187]
- crypto: authencesn - Fix src offset when decrypting in-place (Herbert Xu) [RHEL-172187]
- crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Herbert Xu) [RHEL-172187] {CVE-2026-31431}
- crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (Herbert Xu) [RHEL-172187] {CVE-2026-23060}
- crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Herbert Xu) [RHEL-172187]
- crypto: af_alg - limit RX SG extraction by receive buffer budget (Herbert Xu) [RHEL-172187] {CVE-2026-31677}
- crypto: algif_aead - Revert to operating out-of-place (Herbert Xu) [RHEL-172187] {CVE-2026-31431}
- crypto: af-alg - fix NULL pointer dereference in scatterwalk (Herbert Xu) [RHEL-172187]
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE (Paolo Bonzini) [RHEL-153727] {CVE-2026-23401}
-
Fri Apr 24 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.122.1.el8_10]
- nvme: avoid double free special payload (Maurizio Lombardi) [RHEL-51303] {CVE-2024-41073}
- crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CKI Backport Bot) [RHEL-166921] {CVE-2025-68724}
- net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (Jay Shin) [RHEL-166155] {CVE-2025-40252}
- kernel.h: Move ARRAY_SIZE() to a separate header (Jay Shin) [RHEL-166155] {CVE-2025-40252}
-
Wed Apr 15 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.121.1.el8_10]
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Scott Mayhew) [RHEL-167011] {CVE-2026-31402}