Red Hat released advisory RHSA-2026:13577 on 5 May 2026, rated Important, updating the Red Hat Enterprise Linux 8 kernel to fix six separate vulnerabilities. The package that closes the holes is kernel-4.18.0-553.123.1.el8_10, and the machine has to be rebooted before the new version takes over.
Two of the six CVEs stand out. The first is CVE-2026-23401, in the KVM hypervisor. It comes from improper handling of shadow page table entries, which opens the door to privilege escalation or a denial of service. On boxes running virtualised guests this matters, because the boundary between a VM and the host is exactly what you want to keep intact. A malicious or compromised guest could use the flaw to reach the hypervisor.
The second is CVE-2026-31402, a heap overflow in the replay cache for the NFSv4.0 LOCK operation inside the nfsd server. When a client resends a lock request, the server checks that cache so it does not process the same operation twice. Faulty memory handling on that path can corrupt the kernel heap. It affects systems that export shares over NFSv4.0, a common setup on file servers and shared storage.
The other four flaws also live in the kernel. CVE-2024-41073 fixes a double free in NVMe handling (nvme: avoid double free special payload). CVE-2025-40252 is an out-of-bounds read in the qlogic/qede network driver. CVE-2025-68724 prevents an integer overflow in the asymmetric keys routines of the crypto subsystem. The full Red Hat advisory also lists a fix in algif_aead. None reaches critical severity on its own, but all of them justify applying the whole batch.
Who is affected
Any RHEL 8 installation, including the 8.10 Extended Life Cycle branch, running a kernel older than 4.18.0-553.123.1.el8_10, across x86_64, s390x, ppc64le and aarch64. CodeReady Linux Builder 8 is in scope too. If you run KVM virtualisation or export storage over NFSv4.0, move this update up your priority list.
Mitigation
There is no recommended partial workaround beyond patching. Update the kernel package with dnf update kernel (or yum update kernel on older systems) and reboot, since the version loaded in memory does not change until the restart. Then confirm with uname -r that the machine boots kernel 4.18.0-553.123.1.el8_10 or later. On binary rebuilds such as AlmaLinux or Rocky Linux, wait for each project’s matching advisory and apply its package.
You can see the rest of the Red Hat Enterprise Linux entry at /en/rhel.
Source
- Red Hat Security Advisory: RHSA-2026:13577
- NVD: CVE-2026-23401 · CVE-2026-31402