CVE-2026-23136 Affecting kernel-uek-doc package, versions <0:6.12.0-109.67.6.el9uek
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-ORACLE9-KERNELUEKDOC-15469768
- published12 Mar 2026
- disclosed14 Feb 2026
Introduced: 14 Feb 2026
NewCVE-2026-23136 (opens in a new tab)How to fix?
Upgrade Oracle:9 kernel-uek-doc to version 0:6.12.0-109.67.6.el9uek or higher.
This issue was patched in ELSA-2026-50144.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uek-doc package and not the kernel-uek-doc package as distributed by Oracle.
See How to fix? for Oracle:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
libceph: reset sparse-read state in osd_fault()
When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state.
If a connection is lost mid-payload or the sparse-read state machine returns an error, the sparse-read state is not reset. The OSD client will then interpret the beginning of a new reply as the continuation of the old one. If this makes the sparse-read machinery enter a failure state, it may never recover, producing loops like:
libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read
Therefore, reset the sparse-read state in osd_fault(), ensuring retries start from a clean state.
References
- https://linux.oracle.com/cve/CVE-2026-23136.html
- https://linux.oracle.com/errata/ELSA-2026-50144.html
- https://git.kernel.org/stable/c/10b7c72810364226f7b27916ea3e2a4f870bc04b
- https://git.kernel.org/stable/c/11194b416ef95012c2cfe5f546d71af07b639e93
- https://git.kernel.org/stable/c/90a60fe61908afa0eaf7f8fcf1421b9b50e5f7ff
- https://git.kernel.org/stable/c/e94075e950a6598e710b9f7dffea5aa388f40313