Critical SUSE Linux Kernel RT Live Patch 2026-0491-1: Mitigating CVE-2025-40129 and CVE-2025-40186

 

 

Critical SUSE Linux Enterprise 15 SP7 Kernel RT update released. Patch ID SUSE-SU-2026:0491-1 addresses CVE-2025-40129 (remote DoS in sunrpc) and CVE-2025-40186 (local privilege escalation in TCP stack). This live patch ensures real-time system security with zero downtime. Mandatory for sysadmins managing SLE RT, Live Patching, or SAP workloads. Learn the technical impact, fix details, and deployment commands now.

On February 13, 2026, SUSE released an important security advisory (SUSE-SU-2026:0491-1) that demands the immediate attention of every systems administrator and security engineer managing enterprise Linux environments. 

This update delivers a critical live patch for the SUSE Linux Enterprise Real Time (RT) 15 SP7 kernel (6.4.0-150700.7.19), addressing two severe vulnerabilities that could compromise system stability and integrity.

For organizations relying on SUSE for high-performance computing, financial trading platforms, or SAP applications, the stakes are exceptionally high. 

A failure to apply these patches could expose your real-time infrastructure to remote denial-of-service attacks and local privilege escalation exploits. This deep-dive analysis provides the technical context, mitigation strategies, and deployment commands required to secure your environment.

Executive Summary: What’s at Stake?

This security rollup is not a routine maintenance task. It neutralizes two distinct threat vectors affecting the kernel’s networking core (TCP) and remote procedure call (RPC) handling. Here’s a high-level overview of the risks:

• CVE-2025-40129 (CVSS 8.7 - High): A null pointer dereference vulnerability in the SUNRPC subsystem. An unauthenticated, remote attacker can trigger this flaw by sending a specially crafted packet with a zero-length checksum, causing a system crash (denial of service).

• CVE-2025-40186 (CVSS 7.3 - High): A race condition in the TCP stack’s Fast Open mechanism. A local attacker with low privileges can exploit this to cause a use-after-free scenario, potentially leading to a system crash or arbitrary code execution with elevated privileges.

The availability of a live patch is a critical advantage. It allows you to remediate these vulnerabilities without rebooting your systems, preserving the uptime guarantees required by real-time and mission-critical applications.

Deep Dive: Understanding the Exploits

Why do these specific vulnerabilities warrant such a high CVSS score and immediate action? Let's dissect the mechanics beyond the official descriptions.

CVE-2025-40129: The SUNRPC Null Pointer Dereference

This vulnerability resides in how the kernel handles Remote Procedure Calls (RPCs), the backbone of network file systems like NFS. The flaw, identified as a null pointer dereference, occurs when the system attempts to process an RPC request with a zero-length checksum.

• Technical Insight: In a standard operation, the sunrpc module validates checksums to ensure data integrity. The vulnerable code path failed to properly validate the length of the checksum before using a pointer to access it. An attacker sending a malicious packet causes the kernel to dereference a null pointer, leading to an immediate kernel panic.

• Exploitability: The attack vector is network-based (AV:N) with low complexity (AC:L). Crucially, it requires no privileges (PR:N) or user interaction (UI:N). This makes it a powerful tool for any external or internal threat actor to destabilize critical infrastructure.

• Impact: The primary impact is on availability (VA:H) . An attacker can systematically crash servers running NFS services or other RPC-dependent applications, leading to significant operational downtime.

CVE-2025-40186: TCP Fast Open Race Condition

This is a more complex vulnerability involving the TCP Fast Open (TFO) mechanism, a feature designed to reduce latency by allowing data to be sent in the SYN packet during a connection handshake. 

The flaw lies in the interaction between the connection request (tcp_conn_request) and the cleanup function (reqsk_fastopen_remove).

• Technical Insight: Under specific timing conditions, a race window can occur. If a connection request using TFO is aborted or reset at the exact moment it's being processed, the kernel can mistakenly call reqsk_fastopen_remove on a request socket (reqsk) that is already in an invalid state or has been freed. This triggers a use-after-free condition.

• Exploitability: This is a local attack (AV:L) . An attacker needs a low-privileged account (PR:L) on the system. However, the complexity is high (AC:H) as it requires precise timing to win the race condition. Successful exploitation could allow the attacker to corrupt kernel memory and execute arbitrary code, effectively taking full control of the machine.

• Impact: The impact is high on all three pillars of security: confidentiality, integrity, and availability (VC:H/VI:H/VA:H) . This makes it a prime target for privilege escalation following an initial breach.

Patch Analysis and Deployment Strategy

SUSE’s response through the Live Patching module is a textbook example of balancing security with operational resilience. The packages listed (kernel-livepatch-6_4_0-150700_7_19-rt-3) are specifically compiled to apply fixes to a running kernel's memory space.

Affected Products and Kernel Streams

This patch is critical for systems running the Real Time (RT) kernel variant. The RT kernel is optimized for low-latency and deterministic behavior, making it prevalent in:

• SUSE Linux Enterprise Real Time 15 SP7

• SUSE Linux Enterprise Server 15 SP7

• SUSE Linux Enterprise Server for SAP Applications 15 SP7

If you are using the standard kernel, you will receive these fixes in a subsequent, non-live kernel update.

Installation Commands

The deployment is streamlined through SUSE’s package managers. To apply the patch immediately via the command line:

1. Refresh Repository Metadata: sudo zypper refresh

2. Install the Live Patch: Use the specific command from the advisory for your product.

   • For SUSE Linux Enterprise Live Patching 15-SP7, the command is:
     zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP7-2026-491=1 SUSE-SLE-Module-Live-Patching-15-SP7-2026-492=1

   • This command installs the necessary debuginfo and kernel live patch packages.

3. Verify Installation: zypper patches and zypper ps -s can help verify that the patch is applied and if any processes need restarting (though live patching minimizes this).

Frequently Asked Questions (FAQ)

Q1: Will applying this live patch require a system reboot?

A: No. The entire purpose of the SUSE Linux Enterprise Live Patching module is to apply critical security fixes to the running kernel without a reboot. This ensures high availability for your services.

Q2: My system uses the standard kernel, not the RT kernel. Am I affected?

A: The vulnerabilities (CVE-2025-40129 and CVE-2025-40186) exist in the common kernel code. While the RT kernel is listed as "Affected Product" in this specific advisory, the standard kernel will receive the fixes in a future update. You are vulnerable until that standard kernel update is applied (which will require a reboot).

Q3: What is the difference between the CVSS 4.0 and CVSS 3.1 scores listed?

A: The CVSS 4.0 score for CVE-2025-40129 (8.7) provides a more granular assessment. It highlights the Attack Requirements (AT:N) , meaning no special conditions are needed for a successful attack, further emphasizing the severity of this remotely exploitable DoS vulnerability. The CVSS 3.1 score (7.5) is the standard for legacy reporting.

Q4: How can an attacker exploit a race condition like CVE-2025-40186?

A: Exploiting a race condition involves an attacker running a program that continuously attempts to trigger the vulnerable code path while simultaneously manipulating system resources (e.g., closing sockets, sending resets) to create the race window. 

Success usually requires deep technical knowledge and multiple attempts, but automated exploit code is often developed and shared in underground forums following such disclosures.

Conclusion and Action

The SUSE-SU-2026:0491-1 update addresses two fundamentally different but equally dangerous threats to your Linux infrastructure. 

The remote, unauthenticated DoS attack (CVE-2025-40129) is a direct line of fire for external threat actors, while the local privilege escalation (CVE-2025-40186) represents the next logical step for an attacker who has already breached your perimeter.

Your next steps are clear:

1. Immediately identify all SUSE Linux Enterprise 15 SP7 systems in your inventory, particularly those running the Real Time kernel and SAP workloads.

2. Prioritize patching for internet-facing systems to mitigate CVE-2025-40129.

3. Deploy the provided live patch commands to remediate both vulnerabilities with zero downtime.

4. Review your system logs for any unusual crashes or unexpected behavior in the days leading up to this patch, as they could be indicators of attempted exploitation.

Staying ahead of these threats requires more than just applying patches; it requires understanding the architecture they protect. By integrating this update, you are not just fixing code; you are reinforcing the resilience of your real-time operations against sophisticated cyber threats.

Suggested Visual Elements

• Infographic: A side-by-side comparison of a normal RPC call vs. an RPC call triggering the CVE-2025-40129 null pointer dereference leading to a kernel panic.

• Table: A summary table listing CVE IDs, CVSS scores, attack vectors, and primary impact for quick reference.