|
|
Subscribe / Log in / New account

Red Hat alert RHSA-2025:6966-01 (kernel)

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* kernel: drm: nv04: Fix out of bounds access (CVE-2024-27008)

* kernel: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
(CVE-2024-27398)

* kernel: pipe: wakeup wr_wait after setting max_usage (CVE-2023-52672)

* kernel: net: phy: micrel: Fix potential null pointer dereference
(CVE-2024-35891)

* kernel: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
(CVE-2024-35934)

* kernel: Bluetooth: btintel: Fix null ptr deref in btintel_read_version
(CVE-2024-35933)

* kernel: Bluetooth: Fix memory leak in hci_req_sync_complete()
(CVE-2024-35978)

* kernel: Bluetooth: SCO: Fix not validating setsockopt user input
(CVE-2024-35967)

* kernel: Bluetooth: RFCOMM: Fix not validating setsockopt user input
(CVE-2024-35966)

* kernel: Bluetooth: L2CAP: Fix not validating setsockopt user input
(CVE-2024-35965)

* kernel: Bluetooth: ISO: Fix not validating setsockopt user input
(CVE-2024-35964)

* kernel: Bluetooth: hci_sock: Fix not validating setsockopt user input
(CVE-2024-35963)

* kernel: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
(CVE-2024-36013)

* kernel: Bluetooth: msft: fix slab-use-after-free in msft_do_close()
(CVE-2024-36012)

* kernel: Bluetooth: HCI: Fix potential null-ptr-deref (CVE-2024-36011)

* kernel: Bluetooth: qca: add missing firmware sanity checks (CVE-2024-36880)

* kernel: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()
(CVE-2024-36968)

* kernel: of: module: add buffer overflow check in of_modalias()
(CVE-2024-38541)

* kernel: sock_map: avoid race between sock_map_close and sk_psock_put
(CVE-2024-39500)

* kernel: dmaengine: idxd: Fix possible Use-After-Free in
irq_process_work_list (CVE-2024-40956)

* kernel: bpf: Fix too early release of tcx_entry (CVE-2024-41010)

* kernel: bluetooth/l2cap: sync sock recv cb and release (CVE-2024-41062)

* kernel: Bluetooth: Ignore too large handle values in BIG (CVE-2024-42133)

* kernel: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race
(CVE-2024-42253)

* kernel: protect the fetch of ->fd[fd] in do_dup2() from
mispredictions (CVE-2024-42265)

* kernel: ASoC: TAS2781: Fix tasdev_load_calibrated_data() (CVE-2024-42278)

* kernel: ice: Add a per-VF limit on number of FDIR filters (CVE-2024-42291)

* kernel: block: fix deadlock between sd_remove & sd_release
(CVE-2024-42294)

* kernel: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
(CVE-2024-42302)

* kernel: ext4: make sure the first directory block is not a hole
(CVE-2024-42304)

* kernel: ext4: check dot and dotdot of dx_root before making dir indexed
(CVE-2024-42305)

* kernel: sysctl: always initialize i_uid/i_gid (CVE-2024-42312)

* kernel: exfat: fix potential deadlock on __exfat_get_dentry_set
(CVE-2024-42315)

* kernel: mm/mglru: fix div-by-zero in vmpressure_calc_level()
(CVE-2024-42316)

* kernel: net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE (CVE-2024-42321)

* kernel: dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume
(CVE-2024-43820)

* kernel: scsi: lpfc: Fix a possible null pointer dereference
(CVE-2024-43821)

* kernel: PCI: keystone: Fix NULL pointer dereference in case of DT error in
ks_pcie_setup_rc_app_regs() (CVE-2024-43823)

* kernel: ext4: fix infinite loop when replaying fast_commit (CVE-2024-43828)

* kernel: xdp: fix invalid wait context of page_pool_destroy()
(CVE-2024-43834)

* kernel: lib: objagg: Fix general protection fault (CVE-2024-43846)

* kernel: cgroup/cpuset: Prevent UAF in proc_cpuset_show() (CVE-2024-43853)

* kernel: devres: Fix memory leakage caused by driver API devm_free_percpu()
(CVE-2024-43871)

* kernel: vhost/vsock: always initialize seqpacket_allow (CVE-2024-43873)

* kernel: exec: Fix ToCToU between perm check and set-uid/gid usage
(CVE-2024-43882)

* kernel: Bluetooth: MGMT: Add error handling to pair_device()
(CVE-2024-43884)

* kernel: padata: Fix possible divide-by-0 panic in padata_mt_helper()
(CVE-2024-43889)

* kernel: ext4: sanity check for NULL pointer after ext4_force_shutdown
(CVE-2024-43898)

* kernel: bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds
memory accesses (CVE-2024-43910)

* kernel: md/raid5: avoid BUG_ON() while continue reshape after reassembling
(CVE-2024-43914)

* kernel: gpio: prevent potential speculation leaks in gpio_device_get_desc()
(CVE-2024-44931)

* kernel: idpf: fix UAFs when destroying the queues (CVE-2024-44932)

* kernel: net: bridge: mcast: wait for previous gc cycles when removing port
(CVE-2024-44934)

* kernel: driver core: Fix uevent_show() vs driver detach race
(CVE-2024-44952)

* kernel: sched/smt: Fix unbalance sched_smt_present dec/inc (CVE-2024-44958)

* kernel: idpf: fix memory leaks and crashes while performing a soft reset
(CVE-2024-44964)

* kernel: cgroup/cpuset: fix panic caused by partcmd_update (CVE-2024-44975)

* kernel: ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987)

* kernel: bonding: fix xfrm real_dev null pointer dereference
(CVE-2024-44989)

* kernel: fs/netfs/fscache_cookie: add missing "n_accesses" check
(CVE-2024-45000)

* kernel: mptcp: pm: only decrement add_addr_accepted for MPJ req
(CVE-2024-45009)

* kernel: mptcp: pm: only mark 'subflow' endp as available (CVE-2024-45010)

* kernel: netem: fix return value if duplicate enqueue fails (CVE-2024-45016)

* kernel: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high
order fallback to order 0 (CVE-2024-45022)

* kernel: scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673)

* kernel: usb: dwc3: core: Prevent USB core invalid event buffer address
access (CVE-2024-46675)

* kernel: mptcp: pm: fix ID 0 endp usage after multiple re-creations
(CVE-2024-46711)

* kernel: drm/amdgpu: fix mc_data out-of-bounds read warning (CVE-2024-46722)

* kernel: drm/amdgpu: fix ucode out-of-bounds read warning (CVE-2024-46723)

* kernel: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
(CVE-2024-46724)

* kernel: drm/amdgpu: Fix out-of-bounds write warning (CVE-2024-46725)

* kernel: of/irq: Prevent device address out-of-bounds read in interrupt map
walk (CVE-2024-46743)

* kernel: Input: uinput - reject requests with unreasonable number of slots
(CVE-2024-46745)

* kernel: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
(CVE-2024-46747)

* kernel: PCI: Add missing bridge lock to pci_bus_lock() (CVE-2024-46750)

* kernel: bpf: Remove tst_run from lwt_seg6local_prog_ops. (CVE-2024-46754)

* kernel: hwmon: (w83627ehf) Fix underflows seen when writing limit
attributes (CVE-2024-46756)

* kernel: hwmon: (lm95234) Fix underflows seen when writing limit attributes
(CVE-2024-46758)

* kernel: hwmon: (adc128d818) Fix underflows seen when writing limit
attributes (CVE-2024-46759)

* kernel: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
(CVE-2024-46761)

* kernel: tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783)

* kernel: fscache: delete fscache_cookie_lru_timer when fscache exits to
avoid UAF (CVE-2024-46786)

* kernel: userfaultfd: fix checks for huge PMDs (CVE-2024-46787)

* kernel: sch/netem: fix use after free in netem_dequeue (CVE-2024-46800)

* kernel: drm/amdgpu: fix the waring dereferencing hive (CVE-2024-46805)

* kernel: drm/amdgpu: Fix the warning division or modulo by zero
(CVE-2024-46806)

* kernel: drm/amd/amdgpu: Check tbo resource pointer (CVE-2024-46807)

* kernel: drm/amdgpu: the warning dereferencing obj for nbio_v7_4
(CVE-2024-46819)

* kernel: drm/amdgpu/vcn: remove irq disabling in vcn 5 suspend
(CVE-2024-46820)

* kernel: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
(CVE-2024-46822)

* kernel: sched: sch_cake: fix bulk flow accounting logic for host fairness
(CVE-2024-46828)

* kernel: drm/amdgpu: Fix smatch static checker warning (CVE-2024-46835)

* kernel: workqueue: Improve scalability of workqueue watchdog touch
(CVE-2024-46839)

* kernel: spi: nxp-fspi: fix the KASAN report out-of-bounds bug
(CVE-2024-46853)

* kernel: x86/hyperv: fix kexec crash due to VP assist page corruption
(CVE-2024-46864)

* kernel: drm/amd/display: Correct the defined value for
AMDGPU_DMUB_NOTIFICATION_MAX (CVE-2024-46871)

* kernel: fsnotify: clear PARENT_WATCHED flags lazily (CVE-2024-47660)

* kernel: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
(CVE-2024-47668)

* kernel: sock_map: Add a cond_resched() in sock_hash_free() (CVE-2024-47710)

* kernel: iommufd: Protect against overflow of ALIGN() during iova allocation
(CVE-2024-47719)

* kernel: nfsd: return -EINVAL when namelen is 0 (CVE-2024-47692)

* kernel: block: fix potential invalid pointer dereference in
blk_add_partition (CVE-2024-47705)

* kernel: ACPI: sysfs: validate return type of _STR method (CVE-2024-49860)

* kernel: powercap: intel_rapl: Fix off by one in get_rpi() (CVE-2024-49862)

* kernel: padata: use integer wrap around to prevent deadlock on seq_nr
overflow (CVE-2024-47739)

* kernel: icmp: change the order of rate limits (CVE-2024-47678)

* kernel: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
(CVE-2023-52917)

* kernel: vdpa/mlx5: Fix invalid mr resource destroy (CVE-2024-47687)

* kernel: x86/sgx: Fix deadlock in SGX NUMA node search (CVE-2024-49856)

* kernel: wifi: mt76: mt7915: fix oops on non-dbdc mt7986 (CVE-2024-47715)

* kernel: wifi: rtw88: always wait for both firmware loading attempts
(CVE-2024-47718)

* kernel: block, bfq: fix possible UAF for bfqq->bic with merge chain
(CVE-2024-47706)

* kernel: nfsd: call cache_put if xdr_reserve_space returns NULL
(CVE-2024-47737)

* kernel: wifi: mac80211: don't use rate mask for offchannel TX
either (CVE-2024-47738)

* kernel: wifi: mac80211: use two-phase skb reclamation in
ieee80211_do_stop() (CVE-2024-47713)

* kernel: vhost_vdpa: assign irq bypass producer token correctly
(CVE-2024-47748)

* kernel: tpm: Clean up TPM space after command failure (CVE-2024-49851)

* kernel: mm: call the security_mmap_file() LSM hook in remap_file_pages()
(CVE-2024-47745)

* kernel: bpf, lsm: Add check for BPF LSM return value (CVE-2024-47703)

* kernel: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
(CVE-2024-47685)

* kernel: ext4: check stripe size compatibility on remount as well
(CVE-2024-47700)

* kernel: nfsd: map the EBADMSG to nfserr_io to avoid warning
(CVE-2024-49875)

* kernel: iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0
count (CVE-2024-49993)

* kernel: tipc: guard against string buffer overrun (CVE-2024-49995)

* kernel: exfat: fix memory leak in exfat_load_bitmap() (CVE-2024-50013)

* kernel: Bluetooth: L2CAP: Fix uaf in l2cap_connect (CVE-2024-49950)

* kernel: ext4: fix double brelse() the buffer of the extents path
(CVE-2024-49882)

* kernel: cachefiles: fix dentry leak in cachefiles_open_file()
(CVE-2024-49870)

* kernel: ppp: do not assume bh is held in ppp_channel_bridge_input()
(CVE-2024-49946)

* kernel: ext4: filesystems without casefold feature cannot be mounted with
siphash (CVE-2024-49968)

* kernel: net: napi: Prevent overflow of napi_defer_hard_irqs
(CVE-2024-50018)

* kernel: ext4: fix access to uninitialised lock in fc replay path
(CVE-2024-50014)

* kernel: mm, slub: avoid zeroing kmalloc redzone (CVE-2024-49885)

* kernel: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
(CVE-2024-49991)

* kernel: platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
(CVE-2024-49886)

* kernel: drm/amdgpu: add list empty check to avoid null pointer issue
(CVE-2024-49904)

* kernel: wifi: iwlwifi: mvm: avoid NULL pointer dereference (CVE-2024-49929)

* kernel: uprobes: fix kernel info leak via "[uprobes]" vma (CVE-2024-49975)

* kernel: ext4: aovid use-after-free in ext4_ext_insert_extent()
(CVE-2024-49883)

* kernel: ext4: fix timer use-after-free on failed mount (CVE-2024-49960)

* kernel: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid
double-free (CVE-2024-49983)

* kernel: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return
value (CVE-2024-50009)

* kernel: ext4: update orig_path in ext4_find_extent() (CVE-2024-49881)

* kernel: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before
resubmit (CVE-2024-49938)

* kernel: wifi: cfg80211: Set correct chandef when starting CAC
(CVE-2024-49937)

* kernel: ext4: avoid use-after-free in ext4_ext_show_leaf() (CVE-2024-49889)

* kernel: resource: fix region_intersects() vs add_memory_driver_managed()
(CVE-2024-49878)

* kernel: wifi: ath11k: fix array out-of-bound access in SoC stats
(CVE-2024-49930)

* kernel: ext4: dax: fix overflowing extents beyond inode size when partially
writing (CVE-2024-50015)

* kernel: r8169: add tally counter fields added with RTL8125 (CVE-2024-49973)

* kernel: wifi: rtw89: avoid reading out of bounds when loading TX power FW
elements (CVE-2024-49928)

* kernel: ext4: fix i_data_sem unlock order in ext4_ind_migrate()
(CVE-2024-50006)

* kernel: static_call: Replace pointless WARN_ON() in
static_call_module_notify() (CVE-2024-49954)

* kernel: fs/inode: Prevent dump_mapping() accessing invalid
dentry.d_name.name (CVE-2024-49934)

* kernel: ext4: no need to continue when the number of entries is 1
(CVE-2024-49967)

* kernel: jbd2: stop waiting for space when jbd2_cleanup_journal_tail()
returns error (CVE-2024-49959)

* kernel: net: add more sanity checks to qdisc_pkt_len_init()
(CVE-2024-49948)

* kernel: block: fix integer overflow in BLKSECDISCARD (CVE-2024-49994)

* kernel: afs: Fix the setting of the server responding flag (CVE-2024-49999)

* kernel: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in
acpi_db_convert_to_package() (CVE-2024-49962)

* kernel: NFSD: Limit the number of concurrent async COPY operations
(CVE-2024-49974)

* kernel: wifi: rtw89: avoid to add interface to list twice when SER
(CVE-2024-49939)

* kernel: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
(CVE-2024-49951)

* kernel: drm/amd/display: Increase array size of dummy_boolean
(CVE-2024-49971)

* kernel: ACPI: PAD: fix crash in exit_round_robin() (CVE-2024-49935)

* kernel: static_call: Handle module init failure correctly in
static_call_del_module() (CVE-2024-50002)

* kernel: x86/ioapic: Handle allocation failures gracefully (CVE-2024-49927)

* kernel: ext4: fix slab-use-after-free in ext4_split_extent_at()
(CVE-2024-49884)

* kernel: net: stmmac: Fix zero-division error when disabling tc cbs
(CVE-2024-49977)

* kernel: wifi: mwifiex: Fix memcpy() field-spanning write warning in
mwifiex_cmd_802_11_scan_ext() (CVE-2024-50008)

* kernel: blk_iocost: fix more out of bound shifts (CVE-2024-49933)

* kernel: smb: client: fix UAF in async decryption (CVE-2024-50047)

* kernel: netfilter: xtables: avoid NFPROTO_UNSPEC where needed
(CVE-2024-50038)

* kernel: slip: make slhc_remember() more robust against malicious packets
(CVE-2024-50033)

* kernel: zram: free secondary algorithms names (CVE-2024-50064)

* kernel: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
(CVE-2024-50044)

* kernel: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
(CVE-2024-50029)

* kernel: device-dax: correct pgoff align in dax_set_mapping()
(CVE-2024-50022)

* kernel: usb: typec: tipd: Free IRQ only if it was requested before
(CVE-2024-50057)

* kernel: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()
(CVE-2024-50046)

* kernel: thermal: core: Reference count the zone in thermal_zone_get_by_id()
(CVE-2024-50028)

* kernel: net: Fix an unsafe loop on the list (CVE-2024-50024)

* kernel: serial: protect uart_port_dtr_rts() in uart_shutdown() too
(CVE-2024-50058)

* kernel: driver core: bus: Fix double free in driver API bus_register()
(CVE-2024-50055)

* kernel: net/sched: accept TCA_STAB only for root qdisc (CVE-2024-50039)

* kernel: kthread: unpark only parked kthread (CVE-2024-50019)

* kernel: net: phy: Remove LED entry from LEDs list on unregister
(CVE-2024-50023)

* kernel: thermal: core: Free tzp copy along with the thermal zone
(CVE-2024-50027)

* kernel: ppp: fix ppp_async_encode() illegal access (CVE-2024-50035)

* kernel: xen-netfront: Fix NULL sring after live migration (CVE-2022-48969)

* kernel: net: tun: Fix use-after-free in tun_detach() (CVE-2022-49014)

* kernel: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
(CVE-2022-49029)

* kernel: fscache: Fix oops due to race with cookie_lru and use_cookie
(CVE-2022-48989)

* kernel: tracing: Free buffers when a used dynamic event is removed
(CVE-2022-49006)

* kernel: uprobe: avoid out-of-bounds memory access of fetching args
(CVE-2024-50067)

* kernel: Bluetooth: ISO: Fix multiple init when debugfs is disabled
(CVE-2024-50077)

* kernel: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
(CVE-2024-50082)

* kernel: parport: Proper fix for array out-of-bounds access (CVE-2024-50074)

* kernel: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux (CVE-2024-50073)

* kernel: blk-mq: setup queue ->tag_set before initializing hctx
(CVE-2024-50081)

* kernel: xhci: tegra: fix checked USB2 port number (CVE-2024-50075)

* kernel: Bluetooth: Call iso_exit() on module unload (CVE-2024-50078)

* kernel: nfsd: cancel nfsd_shrinker_work using sync mode in
nfs4_state_shutdown_net (CVE-2024-50121)

* kernel: md/raid10: fix null ptr dereference in raid10_size()
(CVE-2024-50109)

* kernel: net: wwan: fix global oob in wwan_rtnl_policy (CVE-2024-50128)

* kernel: net: sched: use RCU read-side critical section in taprio_dump()
(CVE-2024-50126)

* kernel: net: sched: fix use-after-free in taprio_change() (CVE-2024-50127)

* kernel: x86: fix user address masking non-canonical speculation issue
(CVE-2024-50102)

* kernel: drm/amd: Guard against bad data for ATIF ACPI method
(CVE-2024-50117)

* kernel: smb: client: Handle kstrdup failures for passwords (CVE-2024-50120)

* kernel: platform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for
valid addresses (CVE-2024-50107)

* kernel: nfsd: fix race between laundromat and free_stateid (CVE-2024-50106)

* kernel: thermal: intel: int340x: processor: Fix warning during module
unload (CVE-2024-50093)

* kernel: iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI
devices (CVE-2024-50101)

* kernel: netfilter: bpf: must hold reference on net namespace
(CVE-2024-50130)

* kernel: bpf: devmap: provide rxq after redirect (CVE-2024-50162)

* kernel: udf: fix uninit-value use in udf_get_fileshortad (CVE-2024-50143)

* kernel: scsi: target: core: Fix null-ptr-deref in target_alloc_device()
(CVE-2024-50153)

* kernel: smb: client: fix OOBs when building SMB2_IOCTL request
(CVE-2024-50151)

* kernel: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
(CVE-2024-50163)

* kernel: vsock: Update rx_bytes on read_skb() (CVE-2024-50169)

* kernel: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and
context (CVE-2024-50141)

* kernel: usb: typec: altmode should keep reference to parent
(CVE-2024-50150)

* kernel: smb: client: fix possible double free in smb2_set_ea()
(CVE-2024-50152)

* kernel: ext4: don't set SB_RDONLY after filesystem errors
(CVE-2024-50191)

* kernel: maple_tree: correct tree corruption on spanning store
(CVE-2024-50200)

* kernel: pinctrl: intel: platform: fix error path in
device_for_each_child_node() (CVE-2024-50197)

* kernel: net: explicitly clear the sk pointer, when pf->create fails
(CVE-2024-50186)

* kernel: HID: amd_sfh: Switch to device-managed dmam_alloc_coherent()
(CVE-2024-50189)

* kernel: drm/radeon: Fix encoder->possible_clones (CVE-2024-50201)

* kernel: mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199)

* kernel: secretmem: disable memfd_secret() if arch cannot set direct map
(CVE-2024-50182)

* kernel: wifi: ath10k: Fix memory leak in management tx (CVE-2024-50236)

* kernel: mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic
reserves (CVE-2024-50219)

* kernel: mm: shmem: fix data-race in shmem_getattr() (CVE-2024-50228)

* kernel: wifi: cfg80211: clear wdev->cqm_config pointer on free
(CVE-2024-50235)

* kernel: nvmet-auth: assign dh_key to NULL after kfree_sensitive
(CVE-2024-50215)

* kernel: netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
(CVE-2024-50256)

* kernel: wifi: mac80211: do not pass a stopped vif to the driver in
.get_txpower (CVE-2024-50237)

* kernel: xfs: fix finding a last resort AG in xfs_filestream_pick_ag
(CVE-2024-50216)

* kernel: macsec: Fix use-after-free while sending the offloading packet
(CVE-2024-50261)

* kernel: signal: restore the override_rlimit logic (CVE-2024-50271)

* kernel: dm cache: fix potential out-of-bounds access on the first resume
(CVE-2024-50278)

* kernel: filemap: Fix bounds checking in filemap_read() (CVE-2024-50272)

* kernel: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
(CVE-2024-50282)

* kernel: sctp: properly validate chunk size in sctp_sf_ootb()
(CVE-2024-50299)

* kernel: usb: dwc3: fix fault at system suspend if device was already
runtime suspended (CVE-2024-53070)

* kernel: drm/amdgpu: prevent NULL pointer dereference if ATIF is not
supported (CVE-2024-53060)

* kernel: virtio_net: Add hash_key_length check (CVE-2024-53082)

* kernel: ipv4: ip_tunnel: Fix suspicious RCU usage warning in
ip_tunnel_init_flow() (CVE-2024-53042)

* kernel: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
(CVE-2024-53057)

* kernel: wifi: iwlwifi: mvm: fix 6 GHz scan construction (CVE-2024-53055)

* kernel: tpm: Lock TPM chip in tpm_pm_suspend() first (CVE-2024-53085)

* kernel: ipv4: ip_tunnel: Fix suspicious RCU usage warning in
ip_tunnel_find() (CVE-2024-50304)

* kernel: drm/i915/hdcp: Add encoder check in hdcp2_get_capability
(CVE-2024-53050)

* kernel: drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability
(CVE-2024-53051)

* kernel: mptcp: init: protect sched with rcu_read_lock (CVE-2024-53047)

* kernel: platform/x86/amd/pmc: Detect when STB is not available
(CVE-2024-53072)

* kernel: wifi: iwlwifi: mvm: don't leak a link on AP removal
(CVE-2024-53074)

* kernel: net/sched: sch_api: fix xa_insert() error path in
tcf_block_get_ext() (CVE-2024-53044)

* kernel: wifi: iwlwifi: mvm: Fix response handling in
iwl_mvm_send_recovery_cmd() (CVE-2024-53059)

* kernel: smb: client: Fix use-after-free of network namespace.
(CVE-2024-53095)

* kernel: nvme-multipath: defer partition scanning (CVE-2024-53093)

* kernel: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
(CVE-2024-53091)

* kernel: mm: resolve faulty mmap_region() error path behaviour
(CVE-2024-53096)

* kernel: mm: krealloc: Fix MTE false alarm in __do_krealloc (CVE-2024-53097)

* kernel: hv_sock: Initializing vsk->trans to NULL to prevent a dangling
pointer (CVE-2024-53103)

* kernel: vsock: Fix sk_error_queue memory leak (CVE-2024-53118)

* kernel: mptcp: error out earlier on disconnect (CVE-2024-53123)

* kernel: net: fix data-races around sk->sk_forward_alloc (CVE-2024-53124)

* kernel: mm: page_alloc: move mlocked flag clearance into
free_pages_prepare() (CVE-2024-53105)

* kernel: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
(CVE-2024-53120)

* kernel: virtio/vsock: Improve MSG_ZEROCOPY error handling (CVE-2024-53117)

* kernel: net/mlx5: fs, lock FTE when checking if active (CVE-2024-53121)

* kernel: vp_vdpa: fix id_table array not null terminated error
(CVE-2024-53110)

* kernel: mm: revert "mm: shmem: fix data-race in shmem_getattr()"
(CVE-2024-53136)

* kernel: pmdomain: imx93-blk-ctrl: correct remove path (CVE-2024-53134)

* kernel: initramfs: avoid filename buffer overrun (CVE-2024-53142)

* kernel: NFSD: Prevent a potential integer overflow (CVE-2024-53146)

* kernel: PCI: tegra194: Move controller cleanups to
pex_ep_event_pex_rst_deassert() (CVE-2024-53152)

* kernel: wifi: ath9k: add range check for conn_rsp_epid in
htc_connect_service() (CVE-2024-53156)

* kernel: EDAC/bluefield: Fix potential integer overflow (CVE-2024-53161)

* kernel: rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu
(CVE-2024-53160)

* kernel: net: sched: fix ordering of qlen adjustment (CVE-2024-53164)

* kernel: PCI: Fix use-after-free of slot->bus on hot remove
(CVE-2024-53194)

* kernel: zram: fix NULL pointer in comp_algorithm_show() (CVE-2024-53222)

* kernel: block, bfq: fix bfqq uaf in bfq_limit_depth() (CVE-2024-53166)

* kernel: Bluetooth: fix use-after-free in device_for_each_child()
(CVE-2024-53237)

* kernel: net: usb: lan78xx: Fix double free issue with interrupt buffer
allocation (CVE-2024-53213)

* kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
(CVE-2024-53208)

* kernel: NFSv4.0: Fix a use-after-free problem in the asynchronous open()
(CVE-2024-53173)

* kernel: RDMA/mlx5: Move events notifier registration to be after device
registration (CVE-2024-53224)

* kernel: wifi: rtlwifi: Drastically reduce the attempts to read efuse in
case of failures (CVE-2024-53190)

* kernel: usb: typec: fix potential array underflow in
ucsi_ccg_sync_control() (CVE-2024-53203)

* kernel: SUNRPC: make sure cache entry active before cache_show
(CVE-2024-53174)

* kernel: Bluetooth: hci_conn: Use disable_delayed_work_sync (CVE-2024-56591)

* kernel: i3c: master: Fix miss free init_dyn_addr at
i3c_master_put_i3c_addrs() (CVE-2024-56562)

* kernel: mm/mempolicy: fix migrate_to_node() assuming there is at least one
VMA in a MM (CVE-2024-56611)

* kernel: wifi: rtw89: coex: check NULL return of kmalloc in
btc_fw_set_monreg() (CVE-2024-56535)

* kernel: net: inet6: do not leave a dangling sk pointer in inet6_create()
(CVE-2024-56600)

* kernel: scsi: qla2xxx: Fix use after free on unload (CVE-2024-56623)

* kernel: mm/slub: Avoid list corruption when removing a slab from the full
list (CVE-2024-56566)

* kernel: ovl: Filter invalid inodes with missing lookup function
(CVE-2024-56570)

* kernel: net: inet: do not leave a dangling sk pointer in inet_create()
(CVE-2024-56601)

* kernel: drm/amdgpu: fix usage slab after free (CVE-2024-56551)

* kernel: drm/dp_mst: Fix MST sideband message body length check
(CVE-2024-56616)

* kernel: Bluetooth: hci_core: Fix not checking skb length on
hci_acldata_packet (CVE-2024-56590)

* kernel: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in
rfcomm_sock_alloc() (CVE-2024-56604)

* kernel: net: ieee802154: do not leave a dangling sk pointer in
ieee802154_create() (CVE-2024-56602)

* kernel: Bluetooth: L2CAP: do not leave dangling sk pointer on error in
l2cap_sock_create() (CVE-2024-56605)

* kernel: scsi: sg: Fix slab-use-after-free read in sg_release()
(CVE-2024-56631)

* kernel: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump
(CVE-2024-56653)

* kernel: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one
(CVE-2024-56663)

* kernel: drm/i915: Fix NULL pointer dereference in capture_engine
(CVE-2024-56667)

* kernel: net/ipv6: release expired exception dst cached in socket
(CVE-2024-56644)

* kernel: net: Fix icmp host relookup triggering ip_rt_bug (CVE-2024-56647)

* kernel: tipc: Fix use-after-free of kernel socket in cleanup_bearer().
(CVE-2024-56642)

* kernel: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating
(CVE-2024-56654)

* kernel: xsk: fix OOB map writes when deleting elements (CVE-2024-56614)

* kernel: nfsd: make sure exp active before svc_export_show (CVE-2024-56558)

* kernel: bpf, sockmap: Fix race between element replace and close()
(CVE-2024-56664)

* kernel: sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport
(CVE-2024-56688)

* kernel: brd: defer automatic disk creation until module initialization
succeeds (CVE-2024-56693)

* kernel: smb: Initialize cfid->tcon before performing network ops
(CVE-2024-56729)

* kernel: Bluetooth: btusb: mediatek: add intf release flow when usb
disconnect (CVE-2024-56757)

* kernel: PCI/MSI: Handle lack of irqdomain gracefully (CVE-2024-56760)

* kernel: netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level
(CVE-2024-56783)

* kernel: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur
(CVE-2024-56779)

* kernel: wifi: rtw89: check return value of ieee80211_probereq_get() for RNR
(CVE-2024-48873)

* kernel: drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req() (CVE-2024-57798)

* kernel: Bluetooth: iso: Fix circular lock in iso_listen_bis
(CVE-2024-54460)

* kernel: smb: client: fix TCP timers deadlock after rmmod (CVE-2024-54680)

* kernel: nvme-rdma: unquiesce admin_q before destroy it (CVE-2024-49569)

* kernel: virtio-net: fix overflow inside virtnet_rq_alloc (CVE-2024-57843)

* kernel: Bluetooth: iso: Always release hdev at the end of iso_listen_bis
(CVE-2024-57879)

* kernel: pinmux: Use sequential access to access desc->pinmux data
(CVE-2024-47141)

* kernel: PCI: imx6: Fix suspend/resume support on i.MX6QDL (CVE-2024-57809)

* kernel: Bluetooth: hci_core: Fix sleeping function called from invalid
context (CVE-2024-57894)

* kernel: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from
!WQ_MEM_RECLAIM worker (CVE-2024-57888)

* kernel: mm: vmscan: account for free pages to prevent infinite Loop in
throttle_direct_reclaim() (CVE-2024-57884)

* kernel: wifi: cfg80211: clear link ID from bitmap during link delete after
clean up (CVE-2024-57898)

* kernel: RDMA/uverbs: Prevent integer overflow issue (CVE-2024-57890)

* kernel: nvmet: Don't overflow subsysnqn (CVE-2024-53681)

* kernel: afs: Fix the maximum cell name length (CVE-2025-21646)

* kernel: dm array: fix releasing a faulty array block twice in
dm_array_cursor_end (CVE-2024-57929)

* kernel: exfat: fix the infinite loop in exfat_readdir() (CVE-2024-57940)

* kernel: selinux: ignore unknown extended permissions (CVE-2024-57931)

* kernel: net: stmmac: dwmac-tegra: Read iommu stream id from device tree
(CVE-2025-21663)

* kernel: vsock/virtio: discard packets if the transport changes
(CVE-2025-21669)

* kernel: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
(CVE-2025-21666)

* kernel: pmdomain: imx8mp-blk-ctrl: add missing loop break condition
(CVE-2025-21668)

* kernel: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
(CVE-2025-21689)

* kernel: fs/proc: fix softlockup in __read_vmcore (part 2) (CVE-2025-21694)

* kernel: Secure Boot does not automatically enable kernel lockdown
(CVE-2025-1272)

* kernel: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
(CVE-2024-58099)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9 Release Notes linked from the References section.

This content is licensed under the Creative Commons Attribution 4.0
International License (https://creativecommons.org/licenses/by/4.0/). If you
distribute this content, or a modified version of it, you must provide
attribution to Red Hat Inc. and provide a link to the original.


Original: https://access.redhat.com/security/data/csaf/v2/advisories/2025/rhsa-2025_6966.json
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds