OESA-2026-2419

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access

l2capinformationrsp() checks that cmdlen covers the fixed l2capinfo_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present:

• L2CAPITFEATMASK calls getunalignedle32(rsp->data), which reads 4 bytes past the header (needs cmdlen >= 8).

• L2CAPITFIXEDCHAN reads rsp->data[0], 1 byte past the header (needs cmdlen >= 5).

A truncated L2CAPINFORSP with result == L2CAPIRSUCCESS triggers an out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (featmask and remotefixedchan remain zero from kzalloc), so the info timer cleanup and l2capconn_start() still run and the connection is not stalled.(CVE-2026-31393)

In the Linux kernel, the following vulnerability has been resolved:

ext4: reject mount if bigalloc with sfirstdata_block != 0

bigalloc with sfirstdata_block != 0 is not supported, reject mounting it.(CVE-2026-31447)

In the Linux kernel, the following vulnerability has been resolved:

HID: multitouch: Check to ensure report responses match the request

It is possible for a malicious (or clumsy) device to respond to a specific report's feature request using a completely different report ID. This can cause confusion in the HID core resulting in nasty side-effects such as OOB writes.

Add a check to ensure that the report ID in the response, matches the one that was requested. If it doesn't, omit reporting the raw event and return early.(CVE-2026-43047)

In the Linux kernel, the following vulnerability has been resolved:

HID: core: Mitigate potential OOB by removing bogus memset()

The memset() in hidreportraw_event() has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the buffer. However, as we have previously seen, doing so can easily result in OOB reads and writes in the subsequent thread of execution.

The current suggestion from one of the HID maintainers is to remove the memset() and simply return if the incoming event buffer size is not large enough to fill the associated report.

Suggested-by Benjamin Tissoires <(CVE-2026-43048)

In the Linux kernel, there is a potential out-of-bounds access vulnerability in the cephhandleauthreply() function of the libceph component. When processing messages of type CEPHMSGAUTHREPLY, the value of the payloadlen field is stored in a variable of type int. A value greater than INTMAX leads to integer overflow and is interpreted as a negative value, which causes the pointer address to be decremented and subsequently accessed because cephdecodeneed() only checks that the memory access does not exceed the end address of the allocation. The vulnerability is fixed by changing the data type of payload_len to u32 and introducing additional sanity checks.(CVE-2026-43407)