The advisory covers several kernel vulnerabilities affecting Red Hat Enterprise Linux 9 and its variants. CVE-2026-23136 is a denial of service vulnerability in the libceph OSD client caused by an unreset sparse-read state. CVE-2026-23270 is a use-after-free flaw in the traffic control (act_ct) subsystem that could result in denial of service or privilege escalation. CVE-2026-31402 fixes a heap overflow in the NFSv4.0 LOCK replay cache. CVE-2026-31431 addresses a regression in the crypto subsystem's algif_aead module by reverting to out-of-place operation. Red Hat has released updated kernel packages that fix these vulnerabilities. The advisory references multiple bugzilla entries and provides links for obtaining the updated packages. A system reboot is necessary to apply the fixes.

The vulnerabilities collectively can lead to denial of service conditions and potential privilege escalation on affected systems running Red Hat Enterprise Linux 9. The denial of service in libceph could disrupt storage operations. The use-after-free in traffic control may allow attackers to escalate privileges or cause system instability. The heap overflow in NFSv4.0 LOCK replay cache could lead to memory corruption and denial of service. The cryptographic regression fix prevents potential cryptographic operation issues. No known exploits in the wild have been reported at this time.

Red Hat has released an official kernel update that addresses these vulnerabilities. Users should apply the updated kernel packages as provided in the advisory RHSA-2026:13565. After installing the update, a system reboot is required for the changes to take effect. Refer to Red Hat's official update instructions at https://access.redhat.com/articles/11258 for detailed guidance. No additional mitigation steps are indicated by the vendor.