{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for kernel-livepatch-MICRO-6-0_Update_12","title":"Title of the patch"},{"category":"description","text":"This update for kernel-livepatch-MICRO-6-0_Update_12 fixes the following issues:\n\n- CVE-2025-38616: tls: handle data disappearing from under the TLS ULP (bsc#1249537)\n","title":"Description of the patch"},{"category":"details","text":"SUSE-SLE-Micro-6.1-kernel-227","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21115-1.json"},{"category":"self","summary":"URL for SUSE-SU-2025:21115-1","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202521115-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2025:21115-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-December/023462.html"},{"category":"self","summary":"SUSE Bug 1249537","url":"https://bugzilla.suse.com/1249537"},{"category":"self","summary":"SUSE CVE CVE-2025-38616 page","url":"https://www.suse.com/security/cve/CVE-2025-38616/"}],"title":"Security update for kernel-livepatch-MICRO-6-0_Update_12","tracking":{"current_release_date":"2025-11-28T08:20:42Z","generator":{"date":"2025-11-28T08:20:42Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2025:21115-1","initial_release_date":"2025-11-28T08:20:42Z","revision_history":[{"date":"2025-11-28T08:20:42Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-35-default-3-1.1.s390x","product":{"name":"kernel-livepatch-6_4_0-35-default-3-1.1.s390x","product_id":"kernel-livepatch-6_4_0-35-default-3-1.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-35-default-3-1.1.x86_64","product":{"name":"kernel-livepatch-6_4_0-35-default-3-1.1.x86_64","product_id":"kernel-livepatch-6_4_0-35-default-3-1.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Micro 6.1","product":{"name":"SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-35-default-3-1.1.s390x as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.s390x"},"product_reference":"kernel-livepatch-6_4_0-35-default-3-1.1.s390x","relates_to_product_reference":"SUSE Linux Micro 6.1"},{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-35-default-3-1.1.x86_64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.x86_64"},"product_reference":"kernel-livepatch-6_4_0-35-default-3-1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.1"}]},"vulnerabilities":[{"cve":"CVE-2025-38616","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-38616"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: handle data disappearing from under the TLS ULP\n\nTLS expects that it owns the receive queue of the TCP socket.\nThis cannot be guaranteed in case the reader of the TCP socket\nentered before the TLS ULP was installed, or uses some non-standard\nread API (eg. zerocopy ones). Replace the WARN_ON() and a buggy\nearly exit (which leaves anchor pointing to a freed skb) with real\nerror handling. Wipe the parsing state and tell the reader to retry.\n\nWe already reload the anchor every time we (re)acquire the socket lock,\nso the only condition we need to avoid is an out of bounds read\n(not having enough bytes in the socket for previously parsed record len).\n\nIf some data was read from under TLS but there's enough in the queue\nwe'll reload and decrypt what is most likely not a valid TLS record.\nLeading to some undefined behavior from TLS perspective (corrupting\na stream? missing an alert? missing an attack?) but no kernel crash\nshould take place.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.s390x","SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2025-38616","url":"https://www.suse.com/security/cve/CVE-2025-38616"},{"category":"external","summary":"SUSE Bug 1248512 for CVE-2025-38616","url":"https://bugzilla.suse.com/1248512"},{"category":"external","summary":"SUSE Bug 1249537 for CVE-2025-38616","url":"https://bugzilla.suse.com/1249537"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.s390x","SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7.4,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"products":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.s390x","SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-35-default-3-1.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-11-28T08:20:42Z","details":"important"}],"title":"CVE-2025-38616"}]}