{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "sctp: sysctl: auth_enable: avoid using current->nsproxy\n- sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy {CVE-2025-21640}\n- bpf: Use preempt_count() directly in bpf_send_signal_common()\n- Revert \"sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy\"\n- jfs: fix slab-out-of-bounds read in ea_get()\n- serial: 8250_dma: terminate correct DMA in tx_dma_flush()\n- Revert \"sctp: sysctl: auth_enable: avoid using current->nsproxy\"\n- net: usb: usbnet: restore usb%d name exception for local mac addresses\n- vlan: fix memory leak in vlan_newlink() {CVE-2022-49636}\n- rds: ib: Fix NULL ptr deref in rds_ib_cq_follow_affinity\n- LTS tag: v5.4.291\n- eeprom: digsy_mtc: Make GPIO lookup table match the device\n- slimbus: messaging: Free transaction ID in delayed interrupt scenario {CVE-2025-21914}\n- intel_th: pci: Add Panther Lake-P/U support\n- intel_th: pci: Add Panther Lake-H support\n- intel_th: pci: Add Arrow Lake support\n- Squashfs: check the inode number is not the invalid value of zero {CVE-2024-26982}\n- xhci: pci: Fix indentation in the PCI device ID definitions\n- usb: gadget: Check bmAttributes only if configuration is valid\n- usb: gadget: Fix setting self-powered state on suspend\n- usb: gadget: Set self-powered based on MaxPower and bmAttributes\n- usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality\n- usb: typec: ucsi: increase timeout for PPM reset operations\n- usb: atm: cxacru: fix a flaw in existing endpoint checks {CVE-2025-21916}\n- usb: renesas_usbhs: Flush the notify_hotplug_work {CVE-2025-21917}\n- usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader\n- usb: renesas_usbhs: Use devm_usb_get_phy()\n- usb: renesas_usbhs: Call clk_put()\n- Revert \"drivers/card_reader/rtsx_usb: Restore interrupt based detection\"\n- gpio: rcar: Fix missing of_node_put() call\n- net: ipv6: fix missing dst ref drop in ila lwtunnel\n- net: ipv6: fix dst ref loop in ila lwtunnel\n- net-timestamp: support TCP GSO case for a few missing flags\n- vlan: enforce underlying device type {CVE-2025-21920}\n- ppp: Fix KMSAN uninit-value warning with bpf {CVE-2025-21922}\n- be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink\n- drm/sched: Fix preprocessor guard\n- hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()\n- llc: do not use skb_get() before dev_queue_xmit() {CVE-2025-21925}\n- hwmon: (ad7314) Validate leading zero bits and return error\n- hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table\n- hwmon: (pmbus) Initialise page count in pmbus_identify()\n- caif_virtio: fix wrong pointer check in cfv_probe() {CVE-2025-21904}\n- net: gso: fix ownership in __udp_gso_segment {CVE-2025-21926}\n- HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() {CVE-2025-21928}\n- HID: google: fix unused variable warning under !CONFIG_ACPI\n- wifi: iwlwifi: limit printed string from FW file {CVE-2025-21905}\n- mm/page_alloc: fix uninitialized variable\n- rapidio: fix an API misues when rio_add_net() fails {CVE-2025-21934}\n- rapidio: add check for rio_add_net() in rio_scan_alloc_net()\n- wifi: nl80211: reject cooked mode if it is set along with other flags {CVE-2025-21909}\n- wifi: cfg80211: regulatory: improve invalid hints checking {CVE-2025-21910}\n- x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63\n- x86/cpu: Validate CPUID leaf 0x2 EDX output\n- x86/cacheinfo: Validate CPUID leaf 0x2 EDX output\n- platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e\n- drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M\n- ALSA: hda/realtek: update ALC222 depop optimize\n- ALSA: hda: intel: Add Dell ALC3271 to power_save denylist\n- HID: appleir: Fix potential NULL dereference at raw event handle {CVE-2025-21948}\n- Revert \"of: reserved-memory: Fix using wrong number of cells to get property 'alignment'\"\n- drm/amdgpu: disable BAR resize on Dell G5 SE\n- drm/amdgpu: Check extended configuration space register when system uses large bar\n- drm/amdgpu: skip BAR resizing if the bios already did it\n- acct: perform last write from workqueue {CVE-2025-21846}\n- kernel/acct.c: use dedicated helper to access rlimit values\n- kernel/acct.c: use #elif instead of #end and #elif\n- drop_monitor: fix incorrect initialization order {CVE-2025-21862}\n- pfifo_tail_enqueue: Drop new packet when sch->limit == 0 {CVE-2025-21702}\n- sched/core: Prevent rescheduling when interrupts are disabled {CVE-2024-58090}\n- phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk\n- phy: tegra: xusb: reset VBUS & ID OVERRIDE\n- usbnet: gl620a: fix endpoint checking in genelink_bind() {CVE-2025-21877}\n- perf/core: Fix low freq setting via IOC_PERIOD\n- ftrace: Avoid potential division by zero in function_stat_show()\n- x86/CPU: Fix warm boot hang regression on AMD SC1100 SoC systems\n- net: mvpp2: cls: Fixed Non IP flow, with vlan tag flow defination.\n- ipvs: Always clear ipvs_property flag in skb_scrub_packet()\n- ASoC: es8328: fix route from DAC to output\n- net: cadence: macb: Synchronize stats calculations\n- sunrpc: suppress warnings for unused procfs functions\n- batman-adv: Drop unmanaged ELP metric worker {CVE-2025-21823}\n- batman-adv: Ignore neighbor throughput metrics in error case\n- acct: block access to kernel internal filesystems\n- ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED\n- nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() {CVE-2025-21848}\n- tee: optee: Fix supplicant wait loop {CVE-2025-21871}\n- power: supply: da9150-fg: fix potential overflow\n- flow_dissector: Fix port range key handling in BPF conversion\n- flow_dissector: Fix handling of mixed port and port-range keys\n- net: extract port range fields from fl_flow_key\n- geneve: Suppress list corruption splat in geneve_destroy_tunnels().\n- geneve: Fix use-after-free in geneve_find_dev(). {CVE-2025-21858}\n- powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n- powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline\n- powerpc/64s/mm: Move __real_pte stubs into hash-4k.h\n- USB: gadget: f_midi: f_midi_complete to call queue_work {CVE-2025-21859}\n- usb/gadget: f_midi: Replace tasklet with work\n- usb/gadget: f_midi: convert tasklets to use new tasklet_setup() API\n- usb: dwc3: Fix timeout issue during controller enter/exit from halt state\n- usb: dwc3: Increase DWC3 controller halt timeout\n- memcg: fix soft lockup in the OOM process {CVE-2024-57977}\n- mm: update mark_victim tracepoints fields\n- crypto: testmgr - some more fixes to RSA test vectors\n- crypto: testmgr - populate RSA CRT parameters in RSA test vectors\n- crypto: testmgr - fix version number of RSA tests\n- crypto: testmgr - Fix wrong test case of RSA\n- crypto: testmgr - fix wrong key length for pkcs1pad\n- driver core: bus: Fix double free in driver API bus_register() {CVE-2024-50055}\n- scsi: storvsc: Set correct data length for sending SCSI command without payload\n- vlan: move dev_put into vlan_dev_uninit\n- vlan: introduce vlan_dev_free_egress_priority\n- pps: Fix a use-after-free {CVE-2024-57979}\n- btrfs: avoid monopolizing a core when activating a swap file\n- x86/i8253: Disable PIT timer 0 when not in use\n- parport_pc: add support for ASIX AX99100\n- serial: 8250_pci: add support for ASIX AX99100\n- can: ems_pci: move ASIX AX99100 ids to pci_ids.h\n- nilfs2: protect access to buffers with no active references {CVE-2025-21811}\n- nilfs2: do not force clear folio if buffer is referenced {CVE-2025-21722}\n- nilfs2: do not output warnings when clearing dirty buffers\n- alpha: replace hardcoded stack offsets with autogenerated ones\n- ndisc: extend RCU protection in ndisc_send_skb() {CVE-2025-21760}\n- openvswitch: use RCU protection in ovs_vport_cmd_fill_info()\n- arp: use RCU protection in arp_xmit() {CVE-2025-21762}\n- neighbour: use RCU protection in __neigh_notify() {CVE-2025-21763}\n- neighbour: delete redundant judgment statements\n- ndisc: use RCU protection in ndisc_alloc_skb() {CVE-2025-21764}\n- ipv6: use RCU protection in ip6_default_advmss() {CVE-2025-21765}\n- ipv4: use RCU protection in inet_select_addr()\n- ipv4: use RCU protection in rt_is_expired()\n- net: add dev_net_rcu() helper\n- net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()\n- regmap-irq: Add missing kfree()\n- partitions: mac: fix handling of bogus partition table {CVE-2025-21772}\n- gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock\n- alpha: align stack for page fault and user unaligned trap handlers\n- serial: 8250: Fix fifo underflow on flush\n- alpha: make stack 16-byte aligned (most cases)\n- can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero\n- can: c_can: fix unbalanced runtime PM disable in error path\n- USB: serial: option: drop MeiG Smart defines\n- USB: serial: option: fix Telit Cinterion FN990A name\n- USB: serial: option: add Telit Cinterion FN990B compositions\n- USB: serial: option: add MeiG Smart SLM828\n- usb: cdc-acm: Fix handling of oversized fragments\n- usb: cdc-acm: Check control transfer buffer size before access {CVE-2025-21704}\n- USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk\n- USB: hub: Ignore non-compliant devices with too many configs or interfaces {CVE-2025-21776}\n- usb: gadget: f_midi: fix MIDI Streaming descriptor lengths {CVE-2025-21835}\n- USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone\n- USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist\n- USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI\n- usb: dwc2: gadget: remove of_node reference upon udc_stop\n- usb: gadget: udc: renesas_usb3: Fix compiler warning\n- usb: roles: set switch registered flag early on\n- batman-adv: fix panic during interface removal {CVE-2025-21781}\n- ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V\n- orangefs: fix a oob in orangefs_debug_write {CVE-2025-21782}\n- Grab mm lock before grabbing pt lock\n- vfio/pci: Enable iowrite64 and ioread64 for vfio pci\n- media: cxd2841er: fix 64-bit division on gcc-9\n- gpio: bcm-kona: Add missing newline to dev_err format string\n- gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ\n- gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0\n- arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array {CVE-2025-21785}\n- team: better TEAM_OPTION_TYPE_STRING validation {CVE-2025-21787}\n- vrf: use RCU protection in l3mdev_l3_out() {CVE-2025-21791}\n- ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()\n- HID: multitouch: Add NULL check in mt_input_configured\n- ocfs2: check dir i_size in ocfs2_find_entry\n- MIPS: ftrace: Declare ftrace_get_parent_ra_addr() as static\n- ptp: Ensure info->enable callback is always set {CVE-2025-21814}\n- net/ncsi: wait for the last response to Deselect Package before configuring channel\n- misc: fastrpc: Fix registered buffer page address\n- mtd: onenand: Fix uninitialized retlen in do_otp_read()\n- NFC: nci: Add bounds checking in nci_hci_create_pipe()\n- nilfs2: fix possible int overflows in nilfs_fiemap() {CVE-2025-21736}\n- ocfs2: handle a symlink read error correctly {CVE-2024-58001}\n- vfio/platform: check the bounds of read/write syscalls {CVE-2025-21687}\n- nvmem: core: improve range check for nvmem_cell_write()\n- crypto: qce - unregister previously registered algos in error path\n- crypto: qce - fix goto jump in error path\n- media: uvcvideo: Remove redundant NULL assignment\n- media: uvcvideo: Fix event flags in uvc_ctrl_send_events\n- media: ov5640: fix get_light_freq on auto\n- soc: qcom: smem_state: fix missing of_node_put in error path\n- kbuild: Move -Wenum-enum-conversion to W=2\n- powerpc/pseries/eeh: Fix get PE state translation\n- serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use\n- serial: sh-sci: Drop __initdata macro for port_cfg\n- soc: qcom: socinfo: Avoid out of bounds read of serial number {CVE-2024-58007}\n- usb: gadget: f_tcm: Don't prepare BOT write request twice\n- usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint\n- usb: gadget: f_tcm: Decrement command ref count on cleanup\n- usb: gadget: f_tcm: Translate error to sense\n- wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() {CVE-2025-21744}\n- HID: hid-sensor-hub: don't use stale platform-data on remove\n- of: reserved-memory: Fix using wrong number of cells to get property 'alignment'\n- of: Fix of_find_node_opts_by_path() handling of alias+path+options\n- of: Correct child specifier used as input of the 2nd nexus node\n- perf bench: Fix undefined behavior in cmpworker()\n- clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate\n- clk: qcom: clk-alpha-pll: fix alpha mode configuration\n- drm/komeda: Add check for komeda_get_layer_fourcc_list()\n- KVM: s390: vsie: fix some corner-cases when grabbing vsie pages\n- KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() {CVE-2024-58083}\n- arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma\n- binfmt_flat: Fix integer overflow bug on 32 bit systems {CVE-2024-58010}\n- m68k: vga: Fix I/O defines\n- s390/futex: Fix FUTEX_OP_ANDN implementation\n- leds: lp8860: Write full EEPROM, not only half of it\n- cpufreq: s3c64xx: Fix compilation warning\n- tun: revert fix group permission check\n- net: rose: lock the socket in rose_bind() {CVE-2025-21749}\n- udp: gso: do not drop small packets when PMTU reduces\n- tg3: Disable tg3 PCIe AER on system reboot\n- gpu: drm_dp_cec: fix broken CEC adapter properties check\n- firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry\n- nvme: handle connectivity loss in nvme_set_queue_count\n- usb: xhci: Fix NULL pointer dereference on certain command aborts {CVE-2024-57981}\n- usb: xhci: Add timeout argument in address_device USB HCD callback\n- net: usb: rtl8150: enable basic endpoint checking {CVE-2025-21708}\n- net: usb: rtl8150: use new tasklet API\n- tasklet: Introduce new initialization API\n- kbuild: userprogs: use correct lld when linking through clang\n- media: uvcvideo: Remove dangling pointers {CVE-2024-58002}\n- media: uvcvideo: Only save async fh if success\n- nilfs2: handle errors that nilfs_prepare_chunk() may return {CVE-2025-21721}\n- nilfs2: eliminate staggered calls to kunmap in nilfs_rename\n- nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link\n- spi-mxs: Fix chipselect glitch\n- x86/mm: Don't disable PCID when INVLPG has been fixed by microcode\n- APEI: GHES: Have GHES honor the panic= setting\n- HID: Wacom: Add PCI Wacom device support\n- mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id\n- tomoyo: don't emit warning in tomoyo_write_control() {CVE-2024-58085}\n- wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()\n- mmc: core: Respect quirk_max_rate for non-UHS SDIO card\n- tun: fix group permission check\n- printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX {CVE-2024-58017}\n- x86/amd_nb: Restrict init function to AMD-based systems\n- sched: Don't try to catch up excess steal time.\n- btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling\n- btrfs: fix use-after-free when attempting to join an aborted transaction {CVE-2025-21753}\n- btrfs: output the reason for open_ctree() failure\n- usb: gadget: f_tcm: Don't free command immediately {CVE-2024-58055}\n- media: uvcvideo: Fix double free in error path {CVE-2024-57980}\n- HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections\n- usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE\n- drivers/card_reader/rtsx_usb: Restore interrupt based detection\n- ktest.pl: Check kernelrelease return in get_version\n- NFSD: Reset cb_seq_status after NFS4ERR_DELAY\n- hexagon: Fix unbalanced spinlock in die()\n- hexagon: fix using plain integer as NULL pointer warning in cmpxchg\n- genksyms: fix memory leak when the same symbol is read from *.symref file\n- genksyms: fix memory leak when the same symbol is added from source\n- net: sh_eth: Fix missing rtnl lock in suspend/resume path\n- vsock: Allow retrying on connect() failure\n- perf trace: Fix runtime error of index out of bounds\n- net: davicom: fix UAF in dm9000_drv_remove {CVE-2025-21715}\n- net: rose: fix timer races against user threads {CVE-2025-21718}\n- PM: hibernate: Add error handling for syscore_suspend()\n- ipmr: do not call mr_mfc_uses_dev() for unres entries {CVE-2025-21719}\n- net: fec: implement TSO descriptor cleanup\n- ubifs: skip dumping tnc tree when zroot is null {CVE-2024-58058}\n- rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read {CVE-2024-58069}\n- dmaengine: ti: edma: fix OF node reference leaks in edma_driver\n- module: Extend the preempt disabled section in dereference_symbol_descriptor().\n- ocfs2: mark dquot as inactive if failed to start trans while releasing dquot\n- scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails\n- scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1\n- staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()\n- media: uvcvideo: Propagate buf->error to userspace\n- media: camif-core: Add check for clk_enable()\n- media: mipi-csis: Add check for clk_enable()\n- PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()\n- media: lmedm04: Handle errors for lme2510_int_read\n- media: lmedm04: Use GFP_KERNEL for URB allocation/submission.\n- media: rc: iguanair: handle timeouts\n- fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()\n- ARM: dts: mediatek: mt7623: fix IR nodename\n- arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names\n- arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property\n- rdma/cxgb4: Prevent potential integer overflow on 32bit {CVE-2024-57973}\n- RDMA/mlx4: Avoid false error about access to uninitialized gids array\n- bpf: Send signals asynchronously if !preemptible {CVE-2025-21728}\n- perf report: Fix misleading help message about --demangle\n- perf top: Don't complain about lack of vmlinux when not resolving some kernel samples\n- padata: fix sysfs store callback check\n- ktest.pl: Remove unused declarations in run_bisect_test function\n- perf header: Fix one memory leakage in process_bpf_prog_info()\n- perf header: Fix one memory leakage in process_bpf_btf()\n- ASoC: sun4i-spdif: Add clock multiplier settings\n- tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind\n- net: sched: Disallow replacing of child qdisc from one parent to another {CVE-2025-21700}\n- net/mlxfw: Drop hard coded max FW flash image size\n- net: let net.core.dev_weight always be non-zero {CVE-2025-21806}\n- clk: analogbits: Fix incorrect calculation of vco rate delta\n- selftests: harness: fix printing of mismatch values in __EXPECT()\n- selftests/harness: Display signed values correctly\n- wifi: wlcore: fix unbalanced pm_runtime calls\n- regulator: of: Implement the unwind path of of_regulator_match()\n- team: prevent adding a device which is already a team device lower {CVE-2024-58071}\n- cpupower: fix TSC MHz calculation\n- wifi: rtlwifi: pci: wait for firmware loading before releasing memory\n- wifi: rtlwifi: fix memory leaks and invalid access at probe error path {CVE-2024-58063}\n- wifi: rtlwifi: remove unused check_buddy_priv {CVE-2024-58072}\n- wifi: rtlwifi: remove unused dualmac control leftovers\n- wifi: rtlwifi: remove unused timer and related code\n- rtlwifi: replace usage of found with dedicated list iterator variable\n- dt-bindings: mmc: controller: clarify the address-cells description\n- wifi: rtlwifi: usb: fix workqueue leak when probe fails\n- wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step\n- rtlwifi: rtl8192se Rename RT_TRACE to rtl_dbg\n- wifi: rtlwifi: do not complete firmware loading needlessly\n- ipmi: ipmb: Add check devm_kasprintf() returned value {CVE-2024-58051}\n- drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table\n- drm/etnaviv: Fix page property being used for non writecombine buffers\n- partitions: ldm: remove the initial kernel-doc notation\n- nbd: don't allow reconnect after disconnect {CVE-2025-21731}\n- afs: Fix directory format encoding struct\n- overflow: Allow mixed type arguments\n- overflow: Correct check_shl_overflow() comment\n- overflow: Add __must_check attribute to check_*() helpers\n- rds: ib: Do not attempt to insert RDMA exthdr twice\n- net: mana: Fix TX CQE error handling {CVE-2023-52532}\n- net/mlx5: Stop waiting for PCI if pci channel is offline\n- rds: ib: Fix racy send affinity work cancellation\n- rds: ib: Make traffic_class visible to user-space\n- rds: ib: Remove incorrect update of the path record sl and qos_class fields\n- net: core: reject skb_copy(_expand) for fraglist GSO skbs {CVE-2024-36929}\n- udp: do not accept non-tunnel GSO skbs landing in a tunnel {CVE-2024-35884}\n- udp: never accept GSO_FRAGLIST packets\n- udp: initialize is_flist with 0 in udp_gro_receive\n- ima: Fix use-after-free on a dentry's dname.name {CVE-2024-39494}\n- sched: sch_cake: add bounds checks to host bulk flow fairness counts {CVE-2025-21647}\n- udf: Fix use of check_add_overflow() with mixed type arguments\n- x86/xen: allow larger contiguous memory regions in PV guests\n- xen: remove a confusing comment on auto-translated guest I/O\n- ALSA: hda/realtek: Fixup ALC225 depop procedure\n- ALSA: hda/realtek - Add type for ALC287\n- net: loopback: Avoid sending IP packets without an Ethernet header\n- netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\n- ocfs2: fix incorrect CPU endianness conversion causing mount failure\n- Revert \"btrfs: avoid monopolizing a core when activating a swap file\"\n- gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n- Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc {CVE-2024-58009}\n- rds: Make sure transmit path and connection tear-down does not run concurrently\n- NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()\n- LTS tag: v5.4.290\n- Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals\n- xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals\n- drm/v3d: Assign job pointer to NULL before signaling the fence {CVE-2025-21688}\n- Input: xpad - add support for wooting two he (arm)\n- Input: xpad - add unofficial Xbox 360 wireless receiver clone\n- Input: atkbd - map F23 key to support default copilot shortcut\n- Revert \"usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null\"\n- USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()\n- ext4: fix slab-use-after-free in ext4_split_extent_at()\n- ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path\n- vfio/platform: check the bounds of read/write syscalls {CVE-2025-21687}\n- net/xen-netback: prevent UAF in xenvif_flush_hash() {CVE-2024-49936}\n- net: xen-netback: hash.c: Use built-in RCU list checking\n- signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die\n- m68k: Add missing mmap_read_lock() to sys_cacheflush()\n- m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal\n- gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag\n- irqchip/sunxi-nmi: Add missing SKIP_WAKE flag\n- scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request\n- ASoC: wm8994: Add depends on MFD core\n- net: fix data-races around sk->sk_forward_alloc {CVE-2024-53124}\n- scsi: sg: Fix slab-use-after-free read in sg_release() {CVE-2024-56631}\n- ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()\n- irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly\n- fs/proc: fix softlockup in __read_vmcore (part 2) {CVE-2025-21694}\n- net: ethernet: xgbe: re-add aneg to supported features in PHY quirks\n- nvmet: propagate npwg topology\n- poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()\n- kheaders: Ignore silly-rename files\n- hfs: Sanity check the root record\n- mac802154: check local interfaces before deleting sdata list {CVE-2024-57948}\n- i2c: mux: demux-pinctrl: check initial mux selection, too\n- drm/v3d: Ensure job pointer is set to NULL after job completion {CVE-2025-21697}\n- nfp: bpf: prevent integer overflow in nfp_bpf_event_output()\n- gtp: Destroy device along with udp socket's netns dismantle. {CVE-2025-21678}\n- gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().\n- gtp: use exit_batch_rtnl() method\n- net: add exit_batch_rtnl() method\n- net: net_namespace: Optimize the code\n- net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()\n- sctp: sysctl: rto_min/max: avoid using current->nsproxy\n- ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv {CVE-2024-57892}\n- ocfs2: correct return value of ocfs2_local_free_info()\n- phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider\n- phy: core: fix code style in devm_of_phy_provider_unregister\n- arm64: dts: rockchip: add hevc power domain clock to rk3328\n- arm64: dts: rockchip: add #power-domain-cells to power domain nodes\n- arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399\n- arm64: dts: rockchip: fix defines in pd_vio node for rk3399\n- iio: inkern: call iio_device_put() only on mapped devices\n- iio: adc: at91: call input_free_device() on allocated iio_dev {CVE-2024-57904}\n- iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()\n- iio: gyro: fxas21002c: Fix missing data update in trigger handler\n- iio: adc: ti-ads8688: fix information leak in triggered buffer {CVE-2024-57906}\n- iio: imu: kmx61: fix information leak in triggered buffer {CVE-2024-57908}\n- iio: light: vcnl4035: fix information leak in triggered buffer {CVE-2024-57910}\n- iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer\n- iio: pressure: zpa2326: fix information leak in triggered buffer {CVE-2024-57912}\n- usb: gadget: f_fs: Remove WARN_ON in functionfs_bind {CVE-2024-57913}\n- usb: fix reference leak in usb_new_device()\n- USB: core: Disable LPM only for non-suspended ports\n- USB: usblp: return error when setting unsupported protocol\n- usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null\n- USB: serial: cp210x: add Phoenix Contact UPS Device\n- usb-storage: Add max sectors quirk for Nokia 208\n- staging: iio: ad9832: Correct phase range check\n- staging: iio: ad9834: Correct phase range check\n- USB: serial: option: add Neoway N723-EA support\n- USB: serial: option: add MeiG Smart SRM815\n- drm/amd/display: increase MAX_SURFACES to the value supported by hw\n- ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]\n- ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]\n- drm/amd/display: Add check for granularity in dml ceil/floor helpers {CVE-2024-57922}\n- sctp: sysctl: auth_enable: avoid using current->nsproxy\n- sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy {CVE-2025-21640}\n- dm thin: make get_first_thin use rcu-safe list first function {CVE-2025-21664}\n- tls: Fix tls_sw_sendmsg error handling\n- net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute {CVE-2025-21653}\n- tcp/dccp: allow a connection when sk_max_ack_backlog is zero\n- tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog\n- net: 802: LLC+SNAP OID:PID lookup on start of skb data\n- ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()\n- dm array: fix cursor index when skipping across block boundaries\n- dm array: fix unreleased btree blocks on closing a faulty array cursor\n- dm array: fix releasing a faulty array block twice in dm_array_cursor_end {CVE-2024-57929}\n- jbd2: flush filesystem device before updating tail sequence\n- Revert \"NFSD: Limit the number of concurrent async COPY operations\"\n- rds: ib: Avoid sleeping function inside RCU region by using sampled values instead\n- dm rq: don't queue request to blk-mq during DM suspend {CVE-2021-47498}\n- dm: rearrange core declarations for extended use from dm-zone.c\n- cgroup: Make operations on the cgroup root_list RCU safe\n- uek: kabi: Fix build error for HIDE_INCLUDE macro\n- oracleasm: Fix PI when use_logical_block_size is set\n- oracleasm: Add support for per-I/O block size selection\n- perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()\n- io_uring: fix possible deadlock in io_register_iowq_max_workers()\n- io_uring/rw: fix missing NOWAIT check for O_DIRECT start write {CVE-2024-53052}\n- io_uring: use kiocb_{start,end}_write() helpers\n- fs: create kiocb_{start,end}_write() helpers\n- io_uring: rename kiocb_end_write() local helper\n- io_uring/sqpoll: close race on waiting for sqring entries\n- io_uring/sqpoll: do not put cpumask on stack\n- io_uring/sqpoll: retain test for whether the CPU is valid\n- io_uring/sqpoll: do not allow pinning outside of cpuset\n- io_uring/io-wq: limit retrying worker initialisation\n- vfs: check dentry is still valid in get_link()\n- RDS: avoid queueing delayed work on an offlined cpu\n- NFSD: Limit the number of concurrent async COPY operations {CVE-2024-49974}\n- LTS tag: v5.4.289\n- mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()\n- drm: adv7511: Drop dsi single lane support\n- net/sctp: Prevent autoclose integer overflow in sctp_association_init()\n- sky2: Add device ID 11ab:4373 for Marvell 88E8075\n- pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking {CVE-2024-57889}\n- RDMA/uverbs: Prevent integer overflow issue {CVE-2024-57890}\n- modpost: fix the missed iteration for the max bit in do_input()\n- modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host\n- ARC: build: Try to guess GCC variant of cross compiler\n- irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base\n- net: usb: qmi_wwan: add Telit FE910C04 compositions\n- bpf: fix potential error return\n- sound: usb: format: don't warn that raw DSD is unsupported\n- wifi: mac80211: wake the queues in case of failure in resume\n- ila: serialize calls to nf_register_net_hooks() {CVE-2024-57900}\n- ALSA: usb-audio: US16x08: Initialize array before use\n- net: llc: reset skb->transport_header\n- netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext {CVE-2024-54031}\n- netfilter: Replace zero-length array with flexible-array member\n- netrom: check buffer length before accessing it {CVE-2024-57802}\n- drm/bridge: adv7511_audio: Update Audio InfoFrame properly\n- drm: bridge: adv7511: Enable SPDIF DAI\n- RDMA/bnxt_re: Fix max_qp_wrs reported\n- RDMA/bnxt_re: Fix reporting hw_ver in query_device\n- RDMA/bnxt_re: Add check for path mtu in modify_qp\n- RDMA/mlx5: Enforce same type port association for multiport RoCE\n- net/mlx5: Make API mlx5_core_is_ecpf accept const pointer\n- IB/mlx5: Introduce and use mlx5_core_is_vf()\n- Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet {CVE-2024-55916}\n- selinux: ignore unknown extended permissions {CVE-2024-57931}\n- ipv6: prevent possible UAF in ip6_xmit() {CVE-2024-44985}\n- skb_expand_head() adjust skb->truesize incorrectly\n- btrfs: avoid monopolizing a core when activating a swap file\n- tracing: Constify string literal data member in struct trace_event_call\n- bpf: fix recursive lock when verdict program return SK_PASS {CVE-2024-56694}\n- ipv6: fix possible UAF in ip6_finish_output2()\n- ipv6: use skb_expand_head in ip6_xmit\n- ipv6: use skb_expand_head in ip6_finish_output2\n- skbuff: introduce skb_expand_head()\n- MIPS: Probe toolchain support of -msym32\n- epoll: Add synchronous wakeup support for ep_poll_callback\n- virtio-blk: don't keep queue frozen during system suspend {CVE-2024-57946}\n- scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time\n- platform/x86: asus-nb-wmi: Ignore unknown event 0xCF\n- regmap: Use correct format specifier for logging range errors\n- scsi: megaraid_sas: Fix for a potential deadlock {CVE-2024-57807}\n- scsi: qla1280: Fix hw revision numbering for ISP1020/1040\n- tracing/kprobe: Make trace_kprobe's module callback called after jump_label update\n- dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset\n- dmaengine: mv_xor: fix child node refcount handling in early exit\n- phy: core: Fix that API devm_phy_destroy() fails to destroy the phy\n- phy: core: Fix that API devm_phy_put() fails to release the phy\n- phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()\n- phy: core: Fix an OF node refcount leakage in _of_phy_get()\n- mtd: diskonchip: Cast an operand to prevent potential overflow\n- bpf: Check negative offsets in __bpf_skb_min_len()\n- media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg {CVE-2024-56769}\n- of: Fix refcount leakage for OF node returned by __of_get_dma_parent()\n- of: Fix error path in of_parse_phandle_with_args_map()\n- udmabuf: also check for F_SEAL_FUTURE_WRITE\n- nilfs2: prevent use of deleted inode {CVE-2024-53690}\n- NFS/pnfs: Fix a live lock between recalled layouts and layoutget\n- btrfs: tree-checker: reject inline extent items with 0 ref count\n- zram: refuse to use zero sized block device as backing device\n- sh: clk: Fix clk_enable() to return 0 on NULL clk\n- USB: serial: option: add Telit FE910C04 rmnet compositions\n- USB: serial: option: add MediaTek T7XX compositions\n- USB: serial: option: add Netprisma LCUK54 modules for WWAN Ready\n- USB: serial: option: add MeiG Smart SLM770A\n- USB: serial: option: add TCL IK512 MBIM & ECM\n- efivarfs: Fix error on non-existent file\n- i2c: riic: Always round-up when calculating bus period\n- chelsio/chtls: prevent potential integer overflow on 32bit\n- mmc: sdhci-tegra: Remove SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC quirk\n- netfilter: ipset: Fix for recursive locking warning\n- net: ethernet: bgmac-platform: fix an OF node reference leak\n- net: hinic: Fix cleanup in create_rxqs/txqs()\n- ionic: use ee->offset when returning sprom data\n- net/smc: check sndbuf_space again after NOSPACE flag is set in smc_poll\n- erofs: fix incorrect symlink detection in fast symlink\n- erofs: fix order >= MAX_ORDER warning due to crafted negative i_size\n- drm/i915: Fix memory leak by correcting cache object name in error handler\n- PCI: Add ACS quirk for Broadcom BCM5760X NIC\n- ALSA: usb: Fix UBSAN warning in parse_audio_unit()\n- PCI/AER: Disable AER service on suspend\n- usb: dwc2: gadget: Don't write invalid mapped sg entries into dma_desc with iommu enabled\n- net: sched: fix ordering of qlen adjustment {CVE-2024-53164}\n- kpcimgr: fix flush_icache_range arguments\n- ftrace: use preempt_enable/disable notrace macros to avoid double fault\n- nfsd: restore callback functionality for NFSv4.0\n- i2c: pnx: Fix timeout in wait functions\n- of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()\n- af_packet: fix vlan_get_tci() vs MSG_PEEK {CVE-2024-57902}\n- af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK {CVE-2024-57901}\n- mtd: rawnand: fix double free in atmel_pmecc_create_user()\n- Revert \"xen/swiotlb: add alignment check for dma buffers\"\n- vfio/iommu_type1: Fix some sanity checks in detach group\n- Revert \"vfio/iommu_type1: Fix some sanity checks in detach group\"\n- rds: ib: Avoid UAF on RDS Socket's rs_trans_lock\n- rds: ib: Fix blocked processes related to race in rds_rdma_free_dev_rs_worker()\n- rds: ib: Fix deterministic UAF in rds_rdma_free_dev_rs_worker()\n- Revert \"KVM: SVM: Add a module parameter to override iommu AVIC usage\"\n- LTS tag: v5.4.288\n- ALSA: usb-audio: Fix a DMA to stack memory bug\n- xen/netfront: fix crash when removing device {CVE-2024-53240}\n- KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status\n- blk-iocost: Avoid using clamp() on inuse in __propagate_weights()\n- blk-iocost: fix weight updates of inner active iocgs\n- blk-iocost: clamp inuse and skip noops in __propagate_weights()\n- ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired\n- net/sched: netem: account for backlog updates from child qdisc {CVE-2024-56770}\n- qca_spi: Make driver probing reliable\n- qca_spi: Fix clock speed for multiple QCA7000\n- ACPI: resource: Fix memory resource type union access\n- net: lapb: increase LAPB_HEADER_LEN {CVE-2024-56659}\n- tipc: fix NULL deref in cleanup_bearer() {CVE-2024-56661}\n- batman-adv: Do not let TT changes list grows indefinitely\n- batman-adv: Remove uninitialized data in full table TT response\n- batman-adv: Do not send uninitialized TT changes\n- bpf, sockmap: Fix update element with same\n- xfs: don't drop errno values when we fail to ficlone the entire range\n- usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer\n- usb: ehci-hcd: fix call balance of clocks handling routines\n- usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature\n- ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys()\n- usb: host: max3421-hcd: Correctly abort a USB request.\n- LTS tag: v5.4.287\n- bpf, xdp: Update devmap comments to reflect napi/rcu usage\n- ALSA: usb-audio: Fix out of bounds reads when finding clock sources {CVE-2024-53150}\n- PCI: rockchip-ep: Fix address translation unit programming\n- Revert \"drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()\"\n- modpost: Add .irqentry.text to OTHER_SECTIONS\n- jffs2: Fix rtime decompressor\n- jffs2: Prevent rtime decompress memory corruption {CVE-2024-57850}\n- KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE\n- KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device\n- KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*\n- perf/x86/intel/pt: Fix buffer full but size is 0 case\n- bpf: fix OOB devmap writes when deleting elements {CVE-2024-56615}\n- xdp: Simplify devmap cleanup\n- misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle\n- powerpc/prom_init: Fixup missing powermac #size-cells {CVE-2024-56781}\n- usb: chipidea: udc: handle USB Error Interrupt if IOC not set\n- i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock\n- PCI: Add ACS quirk for Wangxun FF5xxx NICs\n- PCI: Add 'reset_subordinate' to reset hierarchy below bridge\n- f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. {CVE-2024-56586}\n- nvdimm: rectify the illogical code within nd_dax_probe()\n- pinctrl: qcom-pmic-gpio: add support for PM8937\n- scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset\n- scsi: st: Don't modify unknown block number in MTIOCGET\n- leds: class: Protect brightness_show() with led_cdev->led_access mutex\n- tracing: Use atomic64_inc_return() in trace_clock_counter()\n- netpoll: Use rcu_access_pointer() in __netpoll_setup\n- net/neighbor: clear error in case strict check is not set\n- rocker: fix link status detection in rocker_carrier_init()\n- ASoC: hdmi-codec: reorder channel allocation list\n- Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables\n- wifi: brcmfmac: Fix oops due to NULL pointer dereference in brcmf_sdiod_sglist_rw()\n- wifi: ipw2x00: libipw_rx_any(): fix bad alignment\n- drm/amdgpu: set the right AMDGPU sg segment limitation {CVE-2024-56594}\n- jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree {CVE-2024-56595}\n- jfs: fix array-index-out-of-bounds in jfs_readdir {CVE-2024-56596}\n- jfs: fix shift-out-of-bounds in dbSplit {CVE-2024-56597}\n- jfs: array-index-out-of-bounds fix in dtReadFirst {CVE-2024-56598}\n- wifi: ath5k: add PCI ID for Arcadyan devices\n- wifi: ath5k: add PCI ID for SX76X\n- net: inet6: do not leave a dangling sk pointer in inet6_create() {CVE-2024-40954}\n- net: inet: do not leave a dangling sk pointer in inet_create() {CVE-2024-40954}\n- net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() {CVE-2024-40954}\n- net: af_can: do not leave a dangling sk pointer in can_create() {CVE-2024-40954}\n- Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()\n- af_packet: avoid erroring out after sock_init_data() in packet_create() {CVE-2024-40954}\n- net/sched: cbs: Fix integer overflow in cbs_set_port_rate()\n- net: ethernet: fs_enet: Use %pa to format resource_size_t\n- net: fec_mpc52xx_phy: Use %pa to format resource_size_t\n- samples/bpf: Fix a resource leak\n- drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()\n- drm/mcde: Enable module autoloading\n- drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model\n- media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108\n- media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera\n- s390/cpum_sf: Handle CPU hotplug remove during sampling {CVE-2024-57849}\n- mmc: core: Further prevent card detect during shutdown\n- regmap: detach regmap from dev on regmap_exit\n- dma-buf: fix dma_fence_array_signaled v4\n- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again {CVE-2024-48881}\n- nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() {CVE-2024-56619}\n- scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt\n- scsi: qla2xxx: Supported speed displayed incorrectly for VPorts\n- scsi: qla2xxx: Fix NVMe and NPIV connect issue\n- ocfs2: update seq_file index in ocfs2_dlm_seq_next\n- tracing: Fix cmp_entries_dup() to respect sort() comparison rules\n- HID: wacom: fix when get product name maybe null pointer {CVE-2024-56629}\n- bpf: Fix exact match conditions in trie_get_next_key()\n- bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie\n- ocfs2: free inode when ocfs2_get_init_inode() fails {CVE-2024-56630}\n- spi: mpc52xx: Add cancel_work_sync before module remove {CVE-2024-50051}\n- tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg {CVE-2024-56633}\n- drm/sti: Add __iomem for mixer_dbg_mxn's parameter\n- gpio: grgpio: Add NULL check in grgpio_probe {CVE-2024-56634}\n- gpio: grgpio: use a helper variable to store the address of ofdev->dev\n- crypto: x86/aegis128 - access 32-bit arguments as 32-bit\n- x86/asm: Reorder early variables\n- xen: Fix the issue of resource not being properly released in xenbus_dev_probe()\n- xen/xenbus: fix locking\n- xenbus/backend: Protect xenbus callback with lock\n- xenbus/backend: Add memory pressure handler callback\n- xen/xenbus: reference count registered modules\n- netfilter: nft_set_hash: skip duplicated elements pending gc run\n- netfilter: ipset: Hold module reference while requesting a module {CVE-2024-56637}\n- igb: Fix potential invalid memory access in igb_init_module() {CVE-2024-52332}\n- net/qed: allow old cards not supporting \"num_images\" to work\n- tipc: Fix use-after-free of kernel socket in cleanup_bearer(). {CVE-2024-56642}\n- tipc: add new AEAD key structure for user API\n- tipc: enable creating a \"preliminary\" node\n- tipc: add reference counter to bearer\n- dccp: Fix memory leak in dccp_feat_change_recv {CVE-2024-56643}\n- can: j1939: j1939_session_new(): fix skb reference counting {CVE-2024-56645}\n- net/sched: tbf: correct backlog statistic for GSO packets\n- netfilter: x_tables: fix LED ID check in led_tg_check() {CVE-2024-56650}\n- ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() {CVE-2024-53680}\n- can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics\n- can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL\n- watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart()\n- iTCO_wdt: mask NMI_NOW bit for update_no_reboot_bit() call\n- drm/etnaviv: flush shader L1 cache after user commandstream\n- nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur {CVE-2024-56779}\n- nfsd: make sure exp active before svc_export_show {CVE-2024-56558}\n- dm thin: Add missing destroy_work_on_stack()\n- i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()\n- util_macros.h: fix/rework find_closest() macros\n- ad7780: fix division by zero in ad7780_write_raw() {CVE-2024-56567}\n- clk: qcom: gcc-qcs404: fix initial rate of GPLL3\n- ftrace: Fix regression with module command in stack_trace_filter {CVE-2024-56569}\n- ovl: Filter invalid inodes with missing lookup function {CVE-2024-56570}\n- media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()\n- media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate()\n- media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled\n- media: ts2020: fix null-ptr-deref in ts2020_probe() {CVE-2024-56574}\n- media: i2c: tc358743: Fix crash in the probe error path when using polling\n- btrfs: ref-verify: fix use-after-free after invalid ref action {CVE-2024-56581}\n- quota: flush quota_release_work upon quota writeback {CVE-2024-56780}\n- ASoC: fsl_micfil: fix the naming style for mask definition\n- sh: intc: Fix use-after-free bug in register_intc_controller()\n- sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport {CVE-2024-56688}\n- SUNRPC: Replace internal use of SOCKWQ_ASYNC_NOSPACE\n- SUNRPC: correct error code comment in xs_tcp_setup_socket()\n- modpost: remove incorrect code in do_eisa_entry()\n- rtc: ab-eoz9: don't fail temperature reads on undervoltage notification\n- 9p/xen: fix release of IRQ {CVE-2024-56704}\n- 9p/xen: fix init sequence\n- block: return unsigned int from bdev_io_min\n- jffs2: fix use of uninitialized variable\n- ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n- ubi: fastmap: Fix duplicate slab cache names while attaching {CVE-2024-53172}\n- ubifs: Correct the total block count by deducting journal reservation\n- rtc: check if __rtc_read_time was successful in rtc_timer_do_work() {CVE-2024-56739}\n- rtc: abx80x: Fix WDT bit position of the status register\n- rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq()\n- NFSv4.0: Fix a use-after-free problem in the asynchronous open()\n- um: Always dump trace for specified task in show_stack\n- um: Clean up stacktrace dump\n- um: add show_stack_loglvl()\n- um/sysrq: remove needless variable sp\n- um: Fix the return value of elf_core_copy_task_fpregs\n- um: Fix potential integer overflow during physmem setup {CVE-2024-53145}\n- rpmsg: glink: Propagate TX failures in intentless mode as well\n- SUNRPC: make sure cache entry active before cache_show {CVE-2024-53174}\n- NFSD: Prevent a potential integer overflow {CVE-2024-53146}\n- lib: string_helpers: silence snprintf() output truncation warning\n- usb: dwc3: gadget: Fix checking for number of TRBs left\n- ALSA: hda/realtek: Apply quirk for Medion E15433\n- ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max\n- ALSA: hda/realtek: Set PCBeep to default value for ALC274\n- ALSA: hda/realtek: Update ALC225 depop procedure\n- media: wl128x: Fix atomicity violation in fmc_send_cmd() {CVE-2024-56700}\n- HID: wacom: Interpret tilt data from Intuos Pro BT as signed values\n- block: fix ordering between checking BLK_MQ_S_STOPPED request adding\n- arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled\n- sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK\n- um: vector: Do not use drvdata in release {CVE-2024-53181}\n- serial: 8250: omap: Move pm_runtime_get_sync\n- um: net: Do not use drvdata in release {CVE-2024-53183}\n- um: ubd: Do not use drvdata in release {CVE-2024-53184}\n- ubi: wl: Put source PEB into correct list if trying locking LEB failed\n- spi: Fix acpi deferred irq probe\n- netfilter: ipset: add missing range check in bitmap_ip_uadt {CVE-2024-53141}\n- Revert \"serial: sh-sci: Clean sci_ports[0] after at earlycon exit\"\n- serial: sh-sci: Clean sci_ports[0] after at earlycon exit\n- Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}()\n- tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler\n- comedi: Flush partial mappings in error case {CVE-2024-53148}\n- PCI: Fix use-after-free of slot->bus on hot remove {CVE-2024-53194}\n- ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata()\n- jfs: xattr: check invalid xattr size more strictly\n- ext4: fix FS_IOC_GETFSMAP handling\n- ext4: supress data-race warnings in ext4_free_inodes_{count,set}()\n- ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices\n- soc: qcom: socinfo: fix revision check in qcom_socinfo_probe()\n- usb: ehci-spear: fix call balance of sehci clk handling routines\n- apparmor: fix 'Do simple duplicate message elimination'\n- staging: greybus: uart: clean up TIOCGSERIAL\n- misc: apds990x: Fix missing pm_runtime_disable()\n- USB: chaoskey: Fix possible deadlock chaoskey_list_lock\n- USB: chaoskey: fail open after removal\n- usb: yurex: make waiting on yurex_write interruptible\n- usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read()\n- ipmr: fix tables suspicious RCU usage\n- ipmr: convert /proc handlers to rcu_read_lock()\n- net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken\n- marvell: pxa168_eth: fix call balance of pep->clk handling routines\n- net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration\n- tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets\n- net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device\n- power: supply: core: Remove might_sleep() from power_supply_put()\n- vfio/pci: Properly hide first-in-list PCIe extended capability {CVE-2024-53214}\n- NFSD: Fix nfsd4_shutdown_copy()\n- NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()\n- NFSD: Prevent NULL dereference in nfsd4_process_cb_update()\n- rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length\n- rpmsg: glink: Fix GLINK command prefix\n- rpmsg: glink: Send READ_NOTIFY command in FIFO full case\n- rpmsg: glink: Add TX_DATA_CONT command while sending\n- perf trace: Avoid garbage when not printing a syscall's arguments\n- perf trace: Do not lose last events in a race\n- m68k: coldfire/device.c: only build FEC when HW macros are defined\n- m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x\n- PCI: cpqphp: Fix PCIBIOS_* return value confusion\n- PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads\n- perf probe: Correct demangled symbols in C++ program\n- perf cs-etm: Don't flush when packet_queue fills up\n- clk: clk-axi-clkgen: make sure to enable the AXI bus clock\n- clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand\n- dt-bindings: clock: axi-clkgen: include AXI clk\n- dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml format\n- fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()\n- fbdev/sh7760fb: Alloc DMA memory from hardware device\n- powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static\n- ocfs2: fix uninitialized value in ocfs2_file_read_iter()\n- scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()\n- scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb()\n- scsi: fusion: Remove unused variable 'rc'\n- scsi: bfa: Fix use-after-free in bfad_im_module_exit()\n- mfd: rt5033: Fix missing regmap_del_irq_chip()\n- mtd: rawnand: atmel: Fix possible memory leak\n- cpufreq: loongson2: Unregister platform_driver on failure\n- mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices {CVE-2024-56723}\n- mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device {CVE-2024-56724}\n- mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device {CVE-2024-56691}\n- mfd: intel_soc_pmic_bxtwc: Use dev_err_probe()\n- mfd: da9052-spi: Change read-mask to write-mask\n- mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race\n- trace/trace_event_perf: remove duplicate samples on the first tracepoint event\n- netpoll: Use rcu_access_pointer() in netpoll_poll_lock\n- ALSA: 6fire: Release resources at card release {CVE-2024-53239}\n- ALSA: caiaq: Use snd_card_free_when_closed() at disconnection {CVE-2024-56531}\n- ALSA: us122l: Use snd_card_free_when_closed() at disconnection {CVE-2024-56532}\n- net: rfkill: gpio: Add check for clk_enable()\n- selftests: net: really check for bg process completion\n- bpf, sockmap: Fix sk_msg_reset_curr\n- bpf, sockmap: Several fixes to bpf_msg_pop_data {CVE-2024-56720}\n- bpf, sockmap: Several fixes to bpf_msg_push_data\n- drm/etnaviv: hold GPU lock across perfmon sampling\n- drm/etnaviv: fix power register offset on GC300\n- drm/etnaviv: dump: fix sparse warnings\n- drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq()\n- drm/panfrost: Remove unused id_mask from struct panfrost_model\n- wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan()\n- bpf: Fix the xdp_adjust_tail sample prog issue\n- ASoC: fsl_micfil: fix regmap_write_bits usage\n- ASoC: fsl_micfil: use GENMASK to define register bit fields\n- ASoC: fsl_micfil: do not define SHIFT/MASK for single bits\n- ASoC: fsl_micfil: Drop unnecessary register read\n- dt-bindings: vendor-prefixes: Add NeoFidelity, Inc\n- drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq()\n- wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq()\n- wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq()\n- drm/omap: Fix locking in omap_gem_new_dmabuf()\n- wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() {CVE-2024-53156}\n- drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused\n- firmware: arm_scpi: Check the DVFS OPP count returned by the firmware {CVE-2024-53157}\n- regmap: irq: Set lockdep class for hierarchical IRQ domains\n- ARM: dts: cubieboard4: Fix DCDC5 regulator constraints\n- tpm: fix signed/unsigned bug when checking event logs\n- efi/tpm: Pass correct address to memblock_reserve\n- mmc: mmc_spi: drop buggy snprintf()\n- soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()\n- soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq()\n- time: Fix references to _msecs_to_jiffies() handling of values\n- crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()\n- crypto: bcm - add error check in the ahash_hmac_init function {CVE-2024-56681}\n- crypto: cavium - Fix the if condition to exit loop after timeout\n- crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY\n- EDAC/fsl_ddr: Fix bad bit shift operations\n- EDAC/bluefield: Fix potential integer overflow {CVE-2024-53161}\n- firmware: google: Unregister driver_info on failure\n- firmware: google: Unregister driver_info on failure and exit in gsmi\n- hfsplus: don't query the device logical block size multiple times {CVE-2024-56548}\n- s390/syscalls: Avoid creation of arch/arch/ directory\n- acpi/arm64: Adjust error handling procedure in gtdt_parse_timer_block()\n- m68k: mvme147: Reinstate early console\n- m68k: mvme16x: Add and use \"mvme16x.h\"\n- m68k: mvme147: Fix SCSI controller IRQ numbers\n- nvme-pci: fix freeing of the HMB descriptor table {CVE-2024-56756}\n- initramfs: avoid filename buffer overrun {CVE-2024-53142}\n- mips: asm: fix warning when disabling MIPS_FP_SUPPORT\n- x86/xen/pvh: Annotate indirect branch as safe\n- nvme: fix metadata handling in nvme-passthrough\n- cifs: Fix buffer overflow when parsing NFS reparse points {CVE-2024-49996}\n- ipmr: Fix access to mfc_cache_list without lock held\n- proc/softirqs: replace seq_printf with seq_put_decimal_ull_width\n- ASoC: stm: Prevent potential division by zero in stm32_sai_get_clk_div()\n- ASoC: stm: Prevent potential division by zero in stm32_sai_mclk_round_rate()\n- regulator: rk808: Add apply_bit for BUCK3 on RK809\n- soc: qcom: Add check devm_kasprintf() returned value\n- net: usb: qmi_wwan: add Quectel RG650V\n- x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB\n- ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13\n- selftests/watchdog-test: Fix system accidentally reset after watchdog-test\n- mac80211: fix user-power when emulating chanctx\n- ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet\n- kbuild: Use uname for LINUX_COMPILE_HOST detection\n- media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set\n- nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint {CVE-2024-53130}\n- ocfs2: fix UBSAN warning in ocfs2_verify_volume()\n- nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint {CVE-2024-53131}\n- KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN\n- ocfs2: uncache inode which has failed entering the group {CVE-2024-53112}\n- net/mlx5e: kTLS, Fix incorrect page refcounting {CVE-2024-53138}\n- net/mlx5: fs, lock FTE when checking if active {CVE-2024-53121}\n- netlink: terminate outstanding dump on socket close {CVE-2024-53140}\n- LTS tag: v5.4.286\n- 9p: fix slab cache name creation for real\n- md/raid10: improve code of mrdev in raid10_sync_request\n- net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition\n- fs: Fix uninitialized value issue in from_kuid and from_kgid {CVE-2024-53101}\n- powerpc/powernv: Free name on error in opal_event_init()\n- sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML\n- bpf: use kvzmalloc to allocate BPF verifier environment\n- HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad\n- 9p: Avoid creating multiple slab caches with the same name\n- ALSA: usb-audio: Add endianness annotations\n- vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans {CVE-2024-50264}\n- hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer {CVE-2024-53103}\n- ftrace: Fix possible use-after-free issue in ftrace_location() {CVE-2024-38588}\n- NFSD: Fix NFSv4's PUTPUBFH operation\n- ALSA: usb-audio: Add quirks for Dell WD19 dock\n- ALSA: usb-audio: Support jack detection on Dell dock\n- ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()\n- irqchip/gic-v3: Force propagation of the active state with a read-back\n- USB: serial: option: add Quectel RG650V\n- USB: serial: option: add Fibocom FG132 0x0112 composition\n- USB: serial: qcserial: add support for Sierra Wireless EM86xx\n- USB: serial: io_edgeport: fix use after free in debug printk {CVE-2024-50267}\n- usb: musb: sunxi: Fix accessing an released usb phy {CVE-2024-50269}\n- fs/proc: fix compile warning about variable 'vmcore_mmap_ops'\n- media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format\n- net: bridge: xmit: make sure we have at least eth header len bytes {CVE-2024-38538}\n- spi: fix use-after-free of the add_lock mutex {CVE-2021-47195}\n- spi: Fix deadlock when adding SPI controllers on SPI buses {CVE-2021-47469}\n- mtd: rawnand: protect access to rawnand devices while in suspend\n- btrfs: reinitialize delayed ref list after deleting it from the list {CVE-2024-50273}\n- nfs: Fix KMSAN warning in decode_getfattr_attrs() {CVE-2024-53066}\n- dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow\n- dm cache: fix potential out-of-bounds access on the first resume {CVE-2024-50278}\n- dm cache: optimize dirty bit checking with find_next_bit when resizing\n- dm cache: fix out-of-bounds access to the dirty bitset when resizing {CVE-2024-50279}\n- dm cache: correct the number of origin blocks to match the target length\n- drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()\n- pwm: imx-tpm: Use correct MODULO value for EPWM mode\n- media: v4l2-tpg: prevent the risk of a division by zero {CVE-2024-50287}\n- media: cx24116: prevent overflows on SNR calculus {CVE-2024-50290}\n- media: s5p-jpeg: prevent buffer overflows {CVE-2024-53061}\n- ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()\n- media: adv7604: prevent underflow condition when reporting colorspace\n- media: dvb_frontend: don't play tricks with underflow values\n- media: dvbdev: prevent the risk of out of memory access {CVE-2024-53063}\n- media: stb0899_algo: initialize cfr before using it\n- net: hns3: fix kernel crash when uninstalling driver {CVE-2024-50296}\n- can: c_can: fix {rx,tx}_errors statistics\n- sctp: properly validate chunk size in sctp_sf_ootb() {CVE-2024-50299}\n- net: enetc: set MAC address to the VF net_device\n- enetc: simplify the return expression of enetc_vf_set_mac_addr()\n- security/keys: fix slab-out-of-bounds in key_task_permission\n- HID: core: zero-initialize the report buffer {CVE-2024-50302}\n- ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin\n- ARM: dts: rockchip: Fix the spi controller on rk3036\n- ARM: dts: rockchip: drop grf reference from rk3036 hdmi\n- ARM: dts: rockchip: fix rk3036 acodec node\n- arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion\n- arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards\n- arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328\n- arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator\n- rds/ib: avoid scq/rcq polling during rds connection shutdown\n- RDMA/mlx5: Send UAR page index as ioctl attribute\n- RDMA: Pass entire uverbs attr bundle to create cq function\n- IB/uverbs: Enable CQ ioctl commands by default\n- tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe()\n- RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey\n- Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\" {CVE-2024-53127}\n- mm: revert \"mm: shmem: fix data-race in shmem_getattr()\"\n- net/ipv6: release expired exception dst cached in socket {CVE-2024-56644}\n- Revert \"unicode: Don't special case ignorable code points\"\n- powerpc/vdso: Flag VDSO64 entry points as functions\n- Revert \"usb: gadget: composite: fix OS descriptors w_value logic\"\n- rds: recv_payload_bad_checksum was not 0 after running rds-stress on UEK6\n- rds: If RDS Checksums are enabled for RDMA RDS operations, the extension headers will overflow causing incorrect operation\n- rds: rds_message_alloc() needlessly zeroes m_used_sgs\n- rds: tracepoint in rds_receive_csum_err() prints pointless information\n- rds: rds_inc_init() should initialize the inc->i_conn_path field\n- rds: Race condition in adding RDS payload checksum extension header may result in RDS header corruption\n- md/raid10: fix task hung in raid10d\n- md/raid10: factor out code from wait_barrier() to stop_waiting_barrier()\n- md/raid10: avoid deadlock on recovery.\n- arm64/cpu_errata: Spectre-BHB mitigation for AMPERE1 expects a loop of 11 iterations.\n- net/rds: report pending-messages count in RDS_INQ response\n- net/rds: Introduce RDS-INQ feature to RDS protocol\n- net/rds: Supporting SIOCOUTQ to read pending sends\n- mm/memory-failure: pass the folio and the page to collect_procs()\n- KVM: x86: Stop compiling vmenter.S with OBJECT_FILES_NON_STANDARD\n- KVM: SVM: Create a stack frame in __svm_vcpu_run() for unwinding\n- objtool: Default ignore INT3 for unreachable\n- x86/spec_ctrl: AMD AutoIBRS cannot be dynamically enabled or disabled\n- x86/msr: Add functions to set/clear the bit of an MSR on all cpus", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux7els/advisories/2025/clsa-2025_1746479711.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1746479711", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1746479711" } ], "tracking": { "current_release_date": "2025-05-19T15:28:04Z", "generator": { "date": "2025-05-19T15:28:04Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1746479711", "initial_release_date": "2025-05-05T21:15:13Z", "revision_history": [ { "date": "2025-05-05T21:15:13Z", "number": "1", "summary": "Initial version" }, { "date": "2025-05-19T15:28:04Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "kernel-uek: Fix of 218 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux 7", "product": { "name": "Oracle Linux 7", "product_id": "Oracle-Linux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bpftool@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-tools@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-container@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-devel@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/python-perf@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/perf@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-headers@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-debug-devel@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product": { "name": "kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_id": "kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/kernel-uek-container-debug@5.4.17-2136.338.4.2.el7uek.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" }, { "category": "default_component_of", "full_product_name": { "name": "kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64 as a component of Oracle Linux 7", "product_id": "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" }, "product_reference": "kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "relates_to_product_reference": "Oracle-Linux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-49636", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: fix memory leak in vlan_newlink()\n\nBlamed commit added back a bug I fixed in commit 9bbd917e0bec\n(\"vlan: fix memory leak in vlan_dev_set_egress_priority\")\n\nIf a memory allocation fails in vlan_changelink() after other allocations\nsucceeded, we need to call vlan_dev_free_egress_priority()\nto free all allocated memory because after a failed ->newlink()\nwe do not call any methods like ndo_uninit() or dev->priv_destructor().\n\nIn following example, if the allocation for last element 2000:2001 fails,\nwe need to free eight prior allocations:\n\nip link add link dummy0 dummy0.100 type vlan id 100 \\\n\tegress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001\n\nsyzbot report was:\n\nBUG: memory leak\nunreferenced object 0xffff888117bd1060 (size 32):\ncomm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s)\nhex dump (first 32 bytes):\n09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[] kmalloc include/linux/slab.h:600 [inline]\n[] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193\n[] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128\n[] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185\n[] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]\n[] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580\n[] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593\n[] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089\n[] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501\n[] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[] sock_sendmsg_nosec net/socket.c:714 [inline]\n[] sock_sendmsg+0x56/0x80 net/socket.c:734\n[] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488\n[] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542\n[] __sys_sendmsg net/socket.c:2571 [inline]\n[] __do_sys_sendmsg net/socket.c:2580 [inline]\n[] __se_sys_sendmsg net/socket.c:2578 [inline]\n[] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578\n[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[] entry_SYSCALL_64_after_hwframe+0x46/0xb0", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-49636" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b", "url": "https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2", "url": "https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602", "url": "https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728", "url": "https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9", "url": "https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9" } ], "release_date": "2025-02-26T07:01:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21772", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\npartitions: mac: fix handling of bogus partition table\nFix several issues in partition probing:\n- The bailout for a bad partoffset must use put_dev_sector(), since the\npreceding read_part_sector() succeeded.\n- If the partition table claims a silly sector size like 0xfff bytes\n(which results in partition table entries straddling sector boundaries),\nbail out instead of accessing out-of-bounds memory.\n- We must not assume that the partition table contains proper NUL\ntermination - use strnlen() and strncmp() instead of strlen() and\nstrcmp().", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21772" } ], "release_date": "2025-02-27T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21765", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\nipv6: use RCU protection in ip6_default_advmss()\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21765" } ], "release_date": "2025-02-27T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21763", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\nneighbour: use RCU protection in __neigh_notify()\n__neigh_notify() can be called without RTNL or RCU protection.\nUse RCU protection to avoid potential UAF.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21763" } ], "release_date": "2025-02-27T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21909", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\nwifi: nl80211: reject cooked mode if it is set along with other flags\nIt is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE\nflags simultaneously on the same monitor interface from the userspace. This\ncauses a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit\nset because the monitor interface is in the cooked state and it takes\nprecedence over all other states. When the interface is then being deleted\nthe kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing\nthat bit.\nFix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with\nother flags.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21909" } ], "release_date": "2025-04-01T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21862", "cwe": { "id": "CWE-908", "name": "Use of Uninitialized Resource" }, "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let's place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21862" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea", "url": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282", "url": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58", "url": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8", "url": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182", "url": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4", "url": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a", "url": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c", "url": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c" } ], "release_date": "2025-03-12T10:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21858", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: Fix use-after-free in geneve_find_dev().\n\nsyzkaller reported a use-after-free in geneve_find_dev() [0]\nwithout repro.\n\ngeneve_configure() links struct geneve_dev.next to\nnet_generic(net, geneve_net_id)->geneve_list.\n\nThe net here could differ from dev_net(dev) if IFLA_NET_NS_PID,\nIFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set.\n\nWhen dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally\ncalls unregister_netdevice_queue() for each dev in the netns,\nand later the dev is freed.\n\nHowever, its geneve_dev.next is still linked to the backend UDP\nsocket netns.\n\nThen, use-after-free will occur when another geneve dev is created\nin the netns.\n\nLet's call geneve_dellink() instead in geneve_destroy_tunnels().\n\n[0]:\nBUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline]\nBUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\nRead of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441\n\nCPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x16c/0x6f0 mm/kasan/report.c:489\n kasan_report+0xc0/0x120 mm/kasan/report.c:602\n __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379\n geneve_find_dev drivers/net/geneve.c:1295 [inline]\n geneve_configure+0x234/0x858 drivers/net/geneve.c:1343\n geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634\n rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:713 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568\n ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622\n __sys_sendmsg net/socket.c:2654 [inline]\n __do_sys_sendmsg net/socket.c:2659 [inline]\n __se_sys_sendmsg net/socket.c:2657 [inline]\n __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151\n el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600\n\nAllocated by task 13247:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x68 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4298 [inline]\n __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304\n __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645\n alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470\n rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604\n rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780\n __rtnl_newlink net/core/rtnetlink.c:3906 [inline]\n rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021\n rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911\n netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543\n rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938\n netlink_unicast_kernel net/netlink/af_n\n---truncated---", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21858" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf", "url": "https://git.kernel.org/stable/c/3ce92ca990cfac88a87c61df3cc0b5880e688ecf" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c", "url": "https://git.kernel.org/stable/c/5a0538ac6826807d6919f6aecbb8996c2865af2c" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283", "url": "https://git.kernel.org/stable/c/788dbca056a8783ec063da3c9d49a3a71c76c283" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78", "url": "https://git.kernel.org/stable/c/904e746b2e7fa952ab8801b303ce826a63153d78" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929", "url": "https://git.kernel.org/stable/c/9593172d93b9f91c362baec4643003dc29802929" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886", "url": "https://git.kernel.org/stable/c/d5e86e27de0936f3cb0a299ce519d993e9cf3886" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3", "url": "https://git.kernel.org/stable/c/da9b0ae47f084014b1e4b3f31f70a0defd047ff3" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316", "url": "https://git.kernel.org/stable/c/f74f6560146714241c6e167b03165ee77a86e316" } ], "release_date": "2025-03-12T10:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2025-21910", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\nwifi: cfg80211: regulatory: improve invalid hints checking\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\nsent from userspace get through into user_alpha2[] via\nregulatory_hint_user() call. Such invalid regulatory hints should be\nrejected.\nWhile a sanity check from commit 47caf685a685 (\"cfg80211: regulatory:\nreject invalid hints\") looks to be enough to deter these very cases,\nthere is a way to get around it due to 2 reasons.\n1) The way isalpha() works, symbols other than latin lower and\nupper letters may be used to determine a country/domain.\nFor instance, greek letters will also be considered upper/lower\nletters and for such characters isalpha() will return true as well.\nHowever, ISO-3166-1 alpha2 codes should only hold latin\ncharacters.\n2) While processing a user regulatory request, between\nreg_process_hint_user() and regulatory_hint_user() there happens to\nbe a call to queue_regulatory_request() which modifies letters in\nrequest->alpha2[] with toupper(). This works fine for latin symbols,\nless so for weird letter characters from the second part of _ctype[].\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\nover an unexpected non-latin letter that gets malformed by toupper()\ninto a character that ends up failing isalpha() check.\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\nsymbols are latin letters and nothing else.\n[1] Syzbot report:\n------------[ cut here ]------------\nUnexpected user alpha2: A�\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\nModules linked in:\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_power_efficient crda_timeout_work\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\n...\nCall Trace:\n\ncrda_timeout_work+0x27/0x50 net/wireless/reg.c:542\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f2/0x390 kernel/kthread.c:389\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21910" } ], "release_date": "2025-04-01T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21877", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\nusbnet: gl620a: fix endpoint checking in genelink_bind()\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n\nusbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n__netdev_start_xmit include/linux/netdevice.h:5002 [inline]\nnetdev_start_xmit include/linux/netdevice.h:5011 [inline]\nxmit_one net/core/dev.c:3590 [inline]\ndev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\nsch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n__dev_xmit_skb net/core/dev.c:3827 [inline]\n__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\ndev_queue_xmit include/linux/netdevice.h:3168 [inline]\nneigh_resolve_output net/core/neighbour.c:1514 [inline]\nneigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\nneigh_output include/net/neighbour.h:539 [inline]\nip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\nip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\ndst_output include/net/dst.h:450 [inline]\nNF_HOOK include/linux/netfilter.h:314 [inline]\nNF_HOOK include/linux/netfilter.h:308 [inline]\nmld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\nmld_send_cr net/ipv6/mcast.c:2120 [inline]\nmld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\nprocess_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\nprocess_scheduled_works kernel/workqueue.c:3310 [inline]\nworker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\nkthread+0x2c1/0x3a0 kernel/kthread.c:389\nret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21877" } ], "release_date": "2025-03-27T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-21922", "cwe": { "id": "CWE-908", "name": "Use of Uninitialized Resource" }, "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: Fix KMSAN uninit-value warning with bpf\n\nSyzbot caught an \"KMSAN: uninit-value\" warning [1], which is caused by the\nppp driver not initializing a 2-byte header when using socket filter.\n\nThe following code can generate a PPP filter BPF program:\n'''\nstruct bpf_program fp;\npcap_t *handle;\nhandle = pcap_open_dead(DLT_PPP_PPPD, 65535);\npcap_compile(handle, &fp, \"ip and outbound\", 0, 0);\nbpf_dump(&fp, 1);\n'''\nIts output is:\n'''\n(000) ldh [2]\n(001) jeq #0x21 jt 2 jf 5\n(002) ldb [0]\n(003) jeq #0x1 jt 4 jf 5\n(004) ret #65535\n(005) ret #0\n'''\nWen can find similar code at the following link:\nhttps://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680\nThe maintainer of this code repository is also the original maintainer\nof the ppp driver.\n\nAs you can see the BPF program skips 2 bytes of data and then reads the\n'Protocol' field to determine if it's an IP packet. Then it read the first\nbyte of the first 2 bytes to determine the direction.\n\nThe issue is that only the first byte indicating direction is initialized\nin current ppp driver code while the second byte is not initialized.\n\nFor normal BPF programs generated by libpcap, uninitialized data won't be\nused, so it's not a problem. However, for carefully crafted BPF programs,\nsuch as those generated by syzkaller [2], which start reading from offset\n0, the uninitialized data will be used and caught by KMSAN.\n\n[1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791\n[2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-21922" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b", "url": "https://git.kernel.org/stable/c/1eacd47636a9de5bee25d9d5962dc538a82d9f0b" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757", "url": "https://git.kernel.org/stable/c/2f591cb158807bdcf424f66f1fbfa6e4e50f3757" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1", "url": "https://git.kernel.org/stable/c/3de809a768464528762757e433cd50de35bcb3c1" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae", "url": "https://git.kernel.org/stable/c/4c2d14c40a68678d885eab4008a0129646805bae" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f", "url": "https://git.kernel.org/stable/c/4e2191b0fd0c064d37b0db67396216f2d4787e0f" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63", "url": "https://git.kernel.org/stable/c/8aa8a40c766b3945b40565a70349d5581458ff63" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6", "url": "https://git.kernel.org/stable/c/c036f5f2680cbdabdbbace86baee3c83721634d6" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf", "url": "https://git.kernel.org/stable/c/d685096c8129c9a92689975193e268945fd21dbf" } ], "release_date": "2025-04-01T16:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Oracle-Linux-7:bpftool-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-tools-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:python-perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:perf-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-headers-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-debug-devel-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64", "Oracle-Linux-7:kernel-uek-container-debug-0:5.4.17-2136.338.4.2.el7uek.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] } ] }