The advisory covers four Linux kernel vulnerabilities affecting Red Hat Enterprise Linux 9 and related distributions. CVE-2026-23060 is a denial of service vulnerability in the authencesn component caused by too-short additional authenticated data (AAD). CVE-2026-31431 addresses a cryptographic regression by reverting the algif_aead module to operate out-of-place. CVE-2026-31677 limits receive buffer budget in the af_alg crypto module to prevent resource exhaustion. CVE-2026-43284, dubbed "Dirty Frag," is a local privilege escalation vulnerability in the ESP XFRM variant of the kernel's networking stack. Red Hat has issued a kernel update that resolves these vulnerabilities, requiring a system reboot to activate the patches.

The vulnerabilities collectively could lead to denial of service conditions and local privilege escalation on affected systems running vulnerable kernel versions. The denial of service vulnerability (CVE-2026-23060) could disrupt system operations. The local privilege escalation vulnerability (CVE-2026-43284) could allow an unprivileged local user to gain elevated privileges. The cryptographic fixes address potential issues in kernel crypto modules that could affect cryptographic operations and system stability. No known exploits in the wild have been reported at this time.

Red Hat has released an official security update for the Linux kernel packages addressing these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions and related products should apply the kernel update as provided by Red Hat. A system reboot is required after applying the update to ensure the fixes take effect. For detailed update instructions, refer to Red Hat's official advisory at https://access.redhat.com/articles/11258. No additional mitigations are indicated beyond applying the official update.