SUSE-IU-2025:1505-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1505-1 Interim 1 1 2026-03-11T09:20:03Z current 2025-06-09T01:00:00Z 2025-06-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1505-1 / google/sles-15-sp5-v20250609-arm64 This image update for google/sles-15-sp5-v20250609-arm64 contains the following changes: Package apparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package augeas was updated: - Add patch, fix for bsc#1239909 / CVE-2025-2588: * CVE-2025-2588.patch Package cifs-utils was updated: - CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) * add New-mount-option-for-cifs.upcall-namespace-reso.patch Package cloud-netconfig was updated: - Update to version 1.15 + Add support for creating IPv6 default route in GCE (bsc#1240869) + Minor fix when looking up IPv6 default route Package cloud-regionsrv-client was updated: - Update version to 10.4.0 + Remove repositories when the package is being removed We do not want to leave repositories behind refering to the plugin that is being removed when the package gets removed (bsc#1240310, bsc#1240311) + Turn docker into an optional setup (jsc#PCT-560) Change the Requires into a Recommends and adapt the code accordingly + Support flexible licenses in GCE (jsc#PCT-531) + Drop the azure-addon package it is geting replaced by the license-watcher package which has a generic implementation of the same functionality. + Handle cache inconsistencies (bsc#1218345) + Properly handle the zypper root target argument (bsc#1240997) Package containerd was updated: - Update to containerd v1.7.27. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.27&gt; bsc#1239749 CVE-2024-40635 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.26. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.26&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.25. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.25&gt; &lt;https://github.com/containerd/containerd/releases/tag/v1.7.24&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package lvm2 was updated: - LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938) * set lvm.conf devices.multipath_wwids_file=&quot;&quot; Package glib2 was updated: - Add glib2-CVE-2025-3360.patch: Backport 8d60d7dc from upstream, Fix integer overflow when parsing very long ISO8601 inputs. This will only happen with invalid (or maliciously invalid) potential ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust against that. (CVE-2025-3360, bsc#1240897) Package glibc was updated: - static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (CVE-2025-4802, bsc#1243317) - pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ [#25847]) Package google-guest-agent was updated: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) * Make sure agent added connections are activated by NM (#534) - from version 20250506.00 * wrap NSS cache refresh in a goroutine (#533) - from version 20250502.01 * Wicked: Only reload interfaces for which configurations are written or changed. (#524) - from version 20250502.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) - from version 20250418.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250414.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) Package grub2 was updated: - Refresh PPC NVMEoF ofpath related patches to newer revision * 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch - Patch refreshed * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch - Patch obsoleted * 0004-ofpath-controller-name-update.patch - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) * 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#156- fix network card detection on aarch64 (bsc#1240648) - 21.88 Package iproute2 was updated: - avoid spurious cgroup warning (bsc#1234383): - ss-Tone-down-cgroup-path-resolution.patch Package iputils was updated: - Security fix [bsc#1242300, CVE-2025-47268] * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch Package kbd was updated: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230, kbd-ignore-working-directory-1.patch, kbd-ignore-working-directory-2.patch, kbd-ignore-working-directory-3.patch). Package kernel-default was updated: - netfilter: conntrack: revisit the gc initial rescheduling bias (CVE-2022-49110 bsc#1237981). - commit 7e1d902 - netfilter: conntrack: fix the gc rescheduling delay (CVE-2022-49110 bsc#1237981). - commit 9cc8bdd - netfilter: conntrack: revisit gc autotuning (CVE-2022-49110 bsc#1237981). - commit da48bfa - Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (bsc#1238032 CVE-2022-49139). - commit 2031355 - watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648). - commit 789ef85 - 9p/trans_fd: always use O_NONBLOCK read/write (CVE-2022-49767 bsc#1242493). - commit 9dce75d - Update patches.suse/dm-crypt-add-cond_resched-to-dmcrypt_write-fb29.patch (git-fixes CVE-2023-53051 bsc#1242284). - commit 9098844 - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - commit 636fe6a - Update patches.suse/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch (git-fixes stable-5.14.19 CVE-2021-47671 bsc#1241421). - commit 855e2af - Update patches.suse/cifs-fix-potential-null-pointer-use-in-destroy_workqueue-in-init_ci.patch (git-fixes CVE-2024-42307 bsc#1229361). - Update patches.suse/fou-fix-initialization-of-grc.patch (CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103). - commit 5bc8269 - Revert &quot;exec: fix the racy usage of fs_struct-&gt;in_exec (CVE-2025-22029&quot; This reverts commit b68bd5953c15c3c2b21e60fbd6d8a52b0bbb030c. This turned out to be not an issue. See https://bugzilla.suse.com/show_bug.cgi?id=1241378#c4 - commit d9d19c1 - exec: fix the racy usage of fs_struct-&gt;in_exec (CVE-2025-22029 bsc#1241378). - commit b68bd59 - x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (CVE-2025-22045 bsc#1241433). - commit c4ca325 - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (bsc#1241280 CVE-2025-22020). - commit 0f74fae - drm/vkms: Fix use after free and double free on init error (CVE-2025-22097 bsc#1241541). - commit 02fe040 - jfs: fix slab-out-of-bounds read in ea_get() (bsc#1241625 CVE-2025-39735). - commit dfc1530 - fou: fix initialization of grc (CVE-2024-46763 bsc#1230764). - commit 3a5d26f - fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764). - commit 176d11e - net: fix geneve_opt length integer overflow (CVE-2025-22055 bsc#1241371). - commit 15ff527 - net: atm: fix use after free in lec_send() (CVE-2025-22004 bsc#1240835). - commit 889e26f - kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812 bsc#1238471). - commit 1d6ea68 - ax25: rcu protect dev-&gt;ax25_ptr (CVE-2025-21812 bsc#1238471). - Refresh patches.kabi/net-ax25_dev-kabi-workaround.patch. - commit 88b5c8e - Update patches.suse/Bluetooth-hci_conn-Fix-memory-leaks.patch (git-fixes CVE-2023-53018 bsc#1240211). - Update patches.suse/acpi-Fix-suspend-with-Xen-PV.patch (git-fixes CVE-2023-52994 bsc#1240269). - Update patches.suse/bpf-Skip-invalid-kfunc-call-in-backtrack_insn.patch (bsc#1225903 CVE-2023-52928 bsc#1240248). - Update patches.suse/bpf-sockmap-Check-for-any-of-tcp_bpf_prots-when-clon.patch (git-fixes CVE-2023-52986 bsc#1240306). - Update patches.suse/dmaengine-tegra-Fix-memory-leak-in-terminate_all.patch (git-fixes CVE-2023-53014 bsc#1240295). - Update patches.suse/drm-amdkfd-Add-sync-after-creating-vram-bo.patch (bsc#1206843 CVE-2023-53009 bsc#1240314). - Update patches.suse/drm-drm_vma_manager-Add-drm_vma_node_allow_once.patch (git-fixes CVE-2023-53001 bsc#1240315). - Update patches.suse/drm-i915-Avoid-potential-vm-use-after-free.patch (git-fixes CVE-2023-52931 bsc#1240271). - Update patches.suse/drm-i915-Fix-a-memory-leak-with-reused-mmap_offset.patch (git-fixes CVE-2023-53002 bsc#1240230). - Update patches.suse/drm-i915-Fix-request-ref-counting-during-error-captu.patch (git-fixes CVE-2023-52981 bsc#1240274). - Update patches.suse/fpga-m10bmc-sec-Fix-probe-rollback.patch (git-fixes CVE-2022-49745 bsc#1240246). - Update patches.suse/fscache-Use-wait_on_bit-to-wait-for-the-freeing-of-re.patch (bsc#1210409 CVE-2023-52982 bsc#1240214). - Update patches.suse/kernel-irq-irqdomain.c-fix-memory-leak-with-using-de.patch (git-fixes CVE-2023-52936 bsc#1240321). - Update patches.suse/msft-hv-2746-HV-hv_balloon-fix-memory-leak-with-using-debugfs_loo.patch (git-fixes CVE-2023-52937 bsc#1240209). - Update patches.suse/powerpc-imc-pmu-Fix-use-of-mutex-in-IRQs-disabled-se.patch (bsc#1054914 fate#322448 git-fixes CVE-2023-53031 bsc#1240285). - Update patches.suse/usb-typec-ucsi-Don-t-attempt-to-resume-the-ports-bef.patch (git-fixes CVE-2023-52938 bsc#1240228). - commit 402c01c - Update patches.suse/fbdev-smscufx-fix-error-handling-code-in-ufx_usb_pro.patch (git-fixes CVE-2022-49741 bsc#1240747). - commit 0c9a431 - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785 bsc#1238747) - commit 2c96a9a - netfilter: nf_tables: must hold rcu read lock while iterating object type list (CVE-2022-48933 bsc#1229621). - netfilter: nf_tables: skip transaction if update object is not implemented (CVE-2022-48933 bsc#1229621). - netfilter: nf_tables: NULL pointer dereference in nf_tables_updobj() (CVE-2022-48933 bsc#1229621). - commit 176015d - netfilter: nf_tables: fix memory leak during stateful obj update (CVE-2022-48933 bsc#1229621). - commit e34cbe9 - netfilter: xtables: fix typo causing some targets not to load on IPv6 (CVE-2024-50038 bsc#1231910). - netfilter: xtables: avoid NFPROTO_UNSPEC where needed (CVE-2024-50038 bsc#1231910). - commit 9a939db - vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791 bsc#1238512). - commit 50bbf71 - CIFS: New mount option for cifs.upcall namespace resolution (CVE-2025-2312 bsc#1239684). - commit 8fc41d8 - Delete patches.suse/btrfs-defrag-don-t-use-merged-extent-map-for-their-generat.patch. - Delete patches.suse/btrfs-fix-defrag-not-merging-contiguous-extents-due-to-mer.patch. - Delete patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch. Reverting ineffective changes for bsc#1239968 and closing it as WONTFIX. - commit d7eeedb - padata: avoid UAF for reorder_work (CVE-2025-21726 bsc#1238865). - commit bfab8c2 - kABI: Fix kABI after backport od CVE-2025-21839 (bsc#1239061 CVE-2025-21839). - commit 38fa6d3 - KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839). - commit 325b428 - KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT (bsc#1239061 CVE-2025-21839). - commit 8727046 - KVM: X86: Remove unneeded KVM_DEBUGREG_RELOAD (bsc#1239061 CVE-2025-21839). - commit bbb1715 Package kexec-tools was updated: - add support for lockless ringbuffer (bsc#1241249) - kexec-tools-Cleanup-remove-the-read_elf_kcore.patch - kexec-tools-Fix-an-error-definition-about-the-variable-fname.patch - kexec-tools-Cleanup-move-it-back-from-util_lib-elf_info.c.patch - kexec-tools-printk-add-support-for-lockless-ringbuffer.patch Package libapparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package freetype2 was updated: Package ncurses was updated: - Modify patch ncurses-5.9-ibm327x.dif * Backport sclp terminfo description entry if for s390 sclp terminal lines * Add a further sclp entry for qemu s390 based systems * Make use of dumb Package librdkafka was updated: - 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch: avoid endless loops (bsc#1242842) Package ruby2.5 was updated: - update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6 - fix ReDoS in CGI::Util#escapeElement bsc#1237806 CVE-2025-27220 - fix denial of service in CGI::Cookie.parse bsc#1237804 CVE-2025-27219 - update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41 - move the request smuggling patch to the correct place actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773 Package libsolv was updated: - build both static and dynamic libraries on new suse distros- support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - bump version to 0.7.32 - Provide a symbol specific for the ruby-version so yast does not break across updates (boo#1235598) Package sqlite3 was updated: - Sync version 3.49.1 from Factory (jsc#SLE-16032): * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could lead to a memory error if the separator string is very large (hundreds of megabytes). * CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against misuse. * Obsoletes sqlite3-rtree-i686.patch Package libxml2 was updated: - security update- added patches CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API + libxml2-CVE-2025-32414.patch CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read + libxml2-CVE-2025-32415.patch Package libzypp was updated: - fixed build with boost 1.88.- XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more &lt;repo&gt; related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - version 17.36.7 (35) - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} &gt;= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - version 17.36.6 (35) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - version 17.36.5 (35) - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - version 17.36.4 (35) Package openssh was updated: - Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045) from upstream, which allows KEX hashes greater than 256 bits. Thanks to Ali Abdallah &lt;ali.abdallah@suse.com&gt;. - Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728). This fixes an upstream logic error handling the DisableForwarding option. - Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533), fixing failures with very large MOTDs. Thanks to Ali Abdallah &lt;ali.abdallah@suse.com&gt;. - Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname being left out of the audit output. Package pam was updated: - pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234, CVE-2024-10041] - Do not reject the user with a hash assuming it's non-empty. [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch] Package patterns-base was updated: Package python3-setuptools was updated: - Add patch CVE-2025-47273.patch to fix A path traversal vulnerability. (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f) Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-containers-release was updated: Package 000release-packages:sle-module-desktop-applications-release was updated: Package 000release-packages:sle-module-development-tools-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-python3-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package 000release-packages:sle-module-web-scripting-release was updated: Package timezone was updated: - Update to 2025b: * New zone for Aysén Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches * revert-philippines-historical-data.patch * tzdata-china.diff Package zypper was updated: - Updated translations (bsc#1230267)- version 1.14.89 - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - version 1.14.88 - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - BuildRequires: libzypp-devel &gt;= 17.36.4. - version 1.14.87 - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - version 1.14.86 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp5-v20250609-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp5-v20250609-arm64 apparmor-parser-3.0.4-150500.11.18.1 augeas-1.12.0-150400.3.8.1 augeas-lenses-1.12.0-150400.3.8.1 cifs-utils-6.15-150400.3.12.1 cloud-netconfig-gce-1.15-150000.25.26.1 cloud-regionsrv-client-10.4.0-150300.13.22.2 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.22.2 containerd-1.7.27-150000.123.1 device-mapper-2.03.22_1.02.196-150500.7.15.1 glib2-tools-2.70.5-150400.3.20.1 glibc-2.31-150300.95.1 glibc-i18ndata-2.31-150300.95.1 glibc-locale-2.31-150300.95.1 glibc-locale-base-2.31-150300.95.1 google-guest-agent-20250506.01-150000.1.63.1 google-guest-oslogin-20240311.00-150000.1.50.1 grub2-2.06-150500.29.50.1 grub2-arm64-efi-2.06-150500.29.50.1 hwinfo-21.88-150500.3.9.2 iproute2-5.14-150400.3.3.1 iputils-20221126-150500.3.11.1 kbd-2.4.0-150400.5.9.1 kbd-legacy-2.4.0-150400.5.9.1 kernel-default-5.14.21-150500.55.103.1 kexec-tools-2.0.20-150500.20.3.1 libapparmor1-3.0.4-150500.11.18.1 libaugeas0-1.12.0-150400.3.8.1 libdevmapper-event1_03-2.03.22_1.02.196-150500.7.15.1 libdevmapper1_03-2.03.22_1.02.196-150500.7.15.1 libfreetype6-2.10.4-150000.4.22.1 libgio-2_0-0-2.70.5-150400.3.20.1 libglib-2_0-0-2.70.5-150400.3.20.1 libgmodule-2_0-0-2.70.5-150400.3.20.1 libgobject-2_0-0-2.70.5-150400.3.20.1 liblvm2cmd2_03-2.03.22-150500.7.15.1 libncurses6-6.1-150000.5.30.1 librdkafka1-0.11.6-150000.1.11.1 libruby2_5-2_5-2.5.9-150000.4.41.1 libsolv-tools-0.7.32-150500.6.8.1 libsolv-tools-base-0.7.32-150500.6.8.1 libsqlite3-0-3.49.1-150000.3.27.1 libxml2-2-2.10.3-150500.5.26.1 libzypp-17.36.7-150500.6.45.1 lvm2-2.03.22-150500.7.15.1 ncurses-utils-6.1-150000.5.30.1 nscd-2.31-150300.95.1 openssh-8.4p1-150300.3.49.1 openssh-clients-8.4p1-150300.3.49.1 openssh-common-8.4p1-150300.3.49.1 openssh-server-8.4p1-150300.3.49.1 pam-1.3.0-150000.6.76.1 patterns-base-minimal_base-20200124-150400.20.13.1 python3-setuptools-44.1.1-150400.9.12.1 python3-solv-0.7.32-150500.6.8.1 ruby-solv-0.7.32-150500.6.8.1 ruby2.5-2.5.9-150000.4.41.1 ruby2.5-stdlib-2.5.9-150000.4.41.1 sqlite3-tcl-3.49.1-150000.3.27.1 terminfo-6.1-150000.5.30.1 terminfo-base-6.1-150000.5.30.1 timezone-2025b-150000.75.34.2 zypper-1.14.89-150500.6.29.1 apparmor-parser-3.0.4-150500.11.18.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 augeas-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 augeas-lenses-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 cifs-utils-6.15-150400.3.12.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 cloud-netconfig-gce-1.15-150000.25.26.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 cloud-regionsrv-client-10.4.0-150300.13.22.2 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.22.2 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 containerd-1.7.27-150000.123.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 device-mapper-2.03.22_1.02.196-150500.7.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 glib2-tools-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 glibc-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 glibc-i18ndata-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 glibc-locale-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 glibc-locale-base-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 google-guest-agent-20250506.01-150000.1.63.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 google-guest-oslogin-20240311.00-150000.1.50.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 grub2-2.06-150500.29.50.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 grub2-arm64-efi-2.06-150500.29.50.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 hwinfo-21.88-150500.3.9.2 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 iproute2-5.14-150400.3.3.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 iputils-20221126-150500.3.11.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 kbd-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 kbd-legacy-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 kernel-default-5.14.21-150500.55.103.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 kexec-tools-2.0.20-150500.20.3.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libapparmor1-3.0.4-150500.11.18.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libaugeas0-1.12.0-150400.3.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libdevmapper-event1_03-2.03.22_1.02.196-150500.7.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libdevmapper1_03-2.03.22_1.02.196-150500.7.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libfreetype6-2.10.4-150000.4.22.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libgio-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libglib-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libgmodule-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libgobject-2_0-0-2.70.5-150400.3.20.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 liblvm2cmd2_03-2.03.22-150500.7.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libncurses6-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 librdkafka1-0.11.6-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libruby2_5-2_5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libsolv-tools-0.7.32-150500.6.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libsolv-tools-base-0.7.32-150500.6.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libsqlite3-0-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libxml2-2-2.10.3-150500.5.26.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 libzypp-17.36.7-150500.6.45.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 lvm2-2.03.22-150500.7.15.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 ncurses-utils-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 nscd-2.31-150300.95.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 openssh-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 openssh-clients-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 openssh-common-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 openssh-server-8.4p1-150300.3.49.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 pam-1.3.0-150000.6.76.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 patterns-base-minimal_base-20200124-150400.20.13.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 python3-setuptools-44.1.1-150400.9.12.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 python3-solv-0.7.32-150500.6.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 ruby-solv-0.7.32-150500.6.8.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 ruby2.5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 ruby2.5-stdlib-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 sqlite3-tcl-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 terminfo-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 terminfo-base-6.1-150000.5.30.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 timezone-2025b-150000.75.34.2 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 zypper-1.14.89-150500.6.29.1 as a component of Public Cloud Image google/sles-15-sp5-v20250609-arm64 In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path In es58x_rx_err_msg(), if can->do_set_mode() fails, the function directly returns without calling netif_rx(skb). This means that the skb previously allocated by alloc_can_err_skb() is not freed. In other terms, this is a memory leak. This patch simply removes the return statement in the error branch and let the function continue. Issue was found with GCC -fanalyzer, please follow the link below for details. CVE-2021-47671 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memory leak during stateful obj update stateful objects can be updated from the control plane. The transaction logic allocates a temporary object for this purpose. The ->init function was called for this object, so plain kfree() leaks resources. We must call ->destroy function of the object. nft_obj_destroy does this, but it also decrements the module refcount, but the update path doesn't increment it. To avoid special-casing the update object release, do module_get for the update case too and release it via nft_obj_destroy(). CVE-2022-48933 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: revisit gc autotuning as of commit 4608fdfc07e1 ("netfilter: conntrack: collect all entries in one cycle") conntrack gc was changed to run every 2 minutes. On systems where conntrack hash table is set to large value, most evictions happen from gc worker rather than the packet path due to hash table distribution. This causes netlink event overflows when events are collected. This change collects average expiry of scanned entries and reschedules to the average remaining value, within 1 to 60 second interval. To avoid event overflows, reschedule after each bucket and add a limit for both run time and number of evictions per run. If more entries have to be evicted, reschedule and restart 1 jiffy into the future. CVE-2022-49110 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt This event is just specified for SCO and eSCO link types. On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR of an existing LE connection, LE link type and a status that triggers the second case of the packet processing a NULL pointer dereference happens, as conn->link is NULL. CVE-2022-49139 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: fix error handling code in ufx_usb_probe The current error handling code in ufx_usb_probe have many unmatching issues, e.g., missing ufx_free_usb_list, destroy_modedb label should only include framebuffer_release, fb_dealloc_cmap only matches fb_alloc_cmap. My local syzkaller reports a memory leak bug: memory leak in ufx_usb_probe BUG: memory leak unreferenced object 0xffff88802f879580 (size 128): comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s) hex dump (first 32 bytes): 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|............. 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................ backtrace: [<ffffffff814c99a0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045 [<ffffffff824d219c>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff824d219c>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff824d219c>] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline] [<ffffffff824d219c>] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655 [<ffffffff82d17927>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 [<ffffffff827132da>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808 [<ffffffff82713c27>] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936 [<ffffffff82710137>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff827136b5>] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008 [<ffffffff82711d36>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff8270e242>] device_add+0x642/0xdc0 drivers/base/core.c:3517 [<ffffffff82d14d5f>] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d2576c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d16ffc>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778 Fix this bug by rewriting the error handling code in ufx_usb_probe. CVE-2022-49741 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: fpga: m10bmc-sec: Fix probe rollback Handle probe error rollbacks properly to avoid leaks. CVE-2022-49745 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write(). However, since p9_fd_open() does not set O_NONBLOCK flag, but pipe blocks unless signal is pending, p9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when the file descriptor refers to a pipe. In other words, pipe file descriptor needs to be handled as if socket file descriptor. We somehow need to interrupt kernel_read()/kernel_write() on pipes. A minimal change, which this patch is doing, is to set O_NONBLOCK flag from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing of regular files. But this approach changes O_NONBLOCK flag on userspace- supplied file descriptors (which might break userspace programs), and O_NONBLOCK flag could be changed by userspace. It would be possible to set O_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still remains small race window for clearing O_NONBLOCK flag. If we don't want to manipulate O_NONBLOCK flag, we might be able to surround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING) and recalc_sigpending(). Since p9_read_work()/p9_write_work() works are processed by kernel threads which process global system_wq workqueue, signals could not be delivered from remote threads when p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling set_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be needed if we count on signals for making kernel_read()/kernel_write() non-blocking. [Dominique: add comment at Christian's suggestion] CVE-2022-49767 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Skip invalid kfunc call in backtrack_insn The verifier skips invalid kfunc call in check_kfunc_call(), which would be captured in fixup_kfunc_call() if such insn is not eliminated by dead code elimination. However, this can lead to the following warning in backtrack_insn(), also see [1]: ------------[ cut here ]------------ verifier backtracking bug WARNING: CPU: 6 PID: 8646 at kernel/bpf/verifier.c:2756 backtrack_insn kernel/bpf/verifier.c:2756 __mark_chain_precision kernel/bpf/verifier.c:3065 mark_chain_precision kernel/bpf/verifier.c:3165 adjust_reg_min_max_vals kernel/bpf/verifier.c:10715 check_alu_op kernel/bpf/verifier.c:10928 do_check kernel/bpf/verifier.c:13821 [inline] do_check_common kernel/bpf/verifier.c:16289 [...] So make backtracking conservative with this by returning ENOTSUPP. [1] https://lore.kernel.org/bpf/CACkBjsaXNceR8ZjkLG=dT3P=4A8SBsg0Z5h5PWLryF5=ghKq=g@mail.gmail.com/ CVE-2023-52928 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid potential vm use-after-free Adding the vm to the vm_xa table makes it visible to userspace, which could try to race with us to close the vm. So we need to take our extra reference before putting it in the table. (cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4) CVE-2023-52931 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. CVE-2023-52936 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: HV: hv_balloon: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. CVE-2023-52937 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Don't attempt to resume the ports before they exist This will fix null pointer dereference that was caused by the driver attempting to resume ports that were not yet registered. CVE-2023-52938 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix request ref counting during error capture & debugfs dump When GuC support was added to error capture, the reference counting around the request object was broken. Fix it up. The context based search manages the spinlocking around the search internally. So it needs to grab the reference count internally as well. The execlist only request based search relies on external locking, so it needs an external reference count but within the spinlock not outside it. The only other caller of the context based search is the code for dumping engine state to debugfs. That code wasn't previously getting an explicit reference at all as it does everything while holding the execlist specific spinlock. So, that needs updaing as well as that spinlock doesn't help when using GuC submission. Rather than trying to conditionally get/put depending on submission model, just change it to always do the get/put. v2: Explicitly document adding an extra blank line in some dense code (Andy Shevchenko). Fix multiple potential null pointer derefs in case of no request found (some spotted by Tvrtko, but there was more!). Also fix a leaked request in case of !started and another in __guc_reset_context now that intel_context_find_active_request is actually reference counting the returned request. v3: Add a _get suffix to intel_context_find_active_request now that it grabs a reference (Daniele). v4: Split the intel_guc_find_hung_context change to a separate patch and rename intel_context_find_active_request_get to intel_context_get_active_request (Tvrtko). v5: s/locking/reference counting/ in commit message (Tvrtko) (cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec) CVE-2023-52981 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: fscache: Use wait_on_bit() to wait for the freeing of relinquished volume The freeing of relinquished volume will wake up the pending volume acquisition by using wake_up_bit(), however it is mismatched with wait_var_event() used in fscache_wait_on_volume_collision() and it will never wake up the waiter in the wait-queue because these two functions operate on different wait-queues. According to the implementation in fscache_wait_on_volume_collision(), if the wake-up of pending acquisition is delayed longer than 20 seconds (e.g., due to the delay of on-demand fd closing), the first wait_var_event_timeout() will timeout and the following wait_var_event() will hang forever as shown below: FS-Cache: Potential volume collision new=00000024 old=00000022 ...... INFO: task mount:1148 blocked for more than 122 seconds. Not tainted 6.1.0-rc6+ #1 task:mount state:D stack:0 pid:1148 ppid:1 Call Trace: <TASK> __schedule+0x2f6/0xb80 schedule+0x67/0xe0 fscache_wait_on_volume_collision.cold+0x80/0x82 __fscache_acquire_volume+0x40d/0x4e0 erofs_fscache_register_volume+0x51/0xe0 [erofs] erofs_fscache_register_fs+0x19c/0x240 [erofs] erofs_fc_fill_super+0x746/0xaf0 [erofs] vfs_get_super+0x7d/0x100 get_tree_nodev+0x16/0x20 erofs_fc_get_tree+0x20/0x30 [erofs] vfs_get_tree+0x24/0xb0 path_mount+0x2fa/0xa90 do_mount+0x7c/0xa0 __x64_sys_mount+0x8b/0xe0 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Considering that wake_up_bit() is more selective, so fix it by using wait_on_bit() instead of wait_var_event() to wait for the freeing of relinquished volume. In addition because waitqueue_active() is used in wake_up_bit() and clear_bit() doesn't imply any memory barrier, use clear_and_wake_up_bit() to add the missing memory barrier between cursor->flags and waitqueue_active(). CVE-2023-52982 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener A listening socket linked to a sockmap has its sk_prot overridden. It points to one of the struct proto variants in tcp_bpf_prots. The variant depends on the socket's family and which sockmap programs are attached. A child socket cloned from a TCP listener initially inherits their sk_prot. But before cloning is finished, we restore the child's proto to the listener's original non-tcp_bpf_prots one. This happens in tcp_create_openreq_child -> tcp_bpf_clone. Today, in tcp_bpf_clone we detect if the child's proto should be restored by checking only for the TCP_BPF_BASE proto variant. This is not correct. The sk_prot of listening socket linked to a sockmap can point to to any variant in tcp_bpf_prots. If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then the child socket unintentionally is left if the inherited sk_prot by tcp_bpf_clone. This leads to issues like infinite recursion on close [1], because the child state is otherwise not set up for use with tcp_bpf_prot operations. Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants. Note that it wouldn't be sufficient to check the socket state when overriding the sk_prot in tcp_bpf_update_proto in order to always use the TCP_BPF_BASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCP_LISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AF_UNSPEC) -> listen(). [1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ CVE-2023-52986 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: acpi: Fix suspend with Xen PV Commit f1e525009493 ("x86/boot: Skip realmode init code when running as Xen PV guest") missed one code path accessing real_mode_header, leading to dereferencing NULL when suspending the system under Xen: [ 348.284004] PM: suspend entry (deep) [ 348.289532] Filesystems sync: 0.005 seconds [ 348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done. [ 348.292457] OOM killer disabled. [ 348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done. [ 348.396612] printk: Suspending console(s) (use no_console_suspend to debug) [ 348.749228] PM: suspend devices took 0.352 seconds [ 348.769713] ACPI: EC: interrupt blocked [ 348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c [ 348.816080] #PF: supervisor read access in kernel mode [ 348.816081] #PF: error_code(0x0000) - not-present page [ 348.816083] PGD 0 P4D 0 [ 348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1 [ 348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022 [ 348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20 Fix that by adding an optional acpi callback allowing to skip setting the wakeup address, as in the Xen PV case this will be handled by the hypervisor anyway. CVE-2023-52994 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-53001 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix a memory leak with reused mmap_offset drm_vma_node_allow() and drm_vma_node_revoke() should be called in balanced pairs. We call drm_vma_node_allow() once per-file everytime a user calls mmap_offset, but only call drm_vma_node_revoke once per-file on each mmap_offset. As the mmap_offset is reused by the client, the per-file vm_count may remain non-zero and the rbtree leaked. Call drm_vma_node_allow_once() instead to prevent that memory leak. CVE-2023-53002 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Add sync after creating vram bo There will be data corruption on vram allocated by svm if the initialization is not complete and application is writting on the memory. Adding sync to wait for the initialization completion is to resolve this issue. CVE-2023-53009 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra: Fix memory leak in terminate_all() Terminate vdesc when terminating an ongoing transfer. This will ensure that the vdesc is present in the desc_terminated list The descriptor will be freed later in desc_free_list(). This fixes the memory leaks which can happen when terminating an ongoing transfer. CVE-2023-53014 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix memory leaks When hci_cmd_sync_queue() failed in hci_le_terminate_big() or hci_le_big_terminate(), the memory pointed by variable d is not freed, which will cause memory leak. Add release process to error path. CVE-2023-53018 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/imc-pmu: Fix use of mutex in IRQs disabled section Current imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP and CONFIG_PROVE_LOCKING enabled, while running a thread_imc event. Command to trigger the warning: # perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5 Performance counter stats for 'sleep 5': 0 thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ 5.002117947 seconds time elapsed 0.000131000 seconds user 0.001063000 seconds sys Below is snippet of the warning in dmesg: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec preempt_count: 2, expected: 0 4 locks held by perf-exec/2869: #0: c00000004325c540 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90 #1: c00000004325c5d8 (&sig->exec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0 #2: c0000003fa99d4e0 (&cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510 #3: c000000017ab8418 (&ctx->lock){....}-{2:2}, at: perf_event_exec+0x29c/0x510 irq event stamp: 4806 hardirqs last enabled at (4805): [<c000000000f65b94>] _raw_spin_unlock_irqrestore+0x94/0xd0 hardirqs last disabled at (4806): [<c0000000003fae44>] perf_event_exec+0x394/0x510 softirqs last enabled at (0): [<c00000000013c404>] copy_process+0xc34/0x1ff0 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61 Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV Call Trace: dump_stack_lvl+0x98/0xe0 (unreliable) __might_resched+0x2f8/0x310 __mutex_lock+0x6c/0x13f0 thread_imc_event_add+0xf4/0x1b0 event_sched_in+0xe0/0x210 merge_sched_in+0x1f0/0x600 visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0 ctx_flexible_sched_in+0xcc/0x140 ctx_sched_in+0x20c/0x2a0 ctx_resched+0x104/0x1c0 perf_event_exec+0x340/0x510 begin_new_exec+0x730/0xef0 load_elf_binary+0x3f8/0x1e10 ... do not call blocking ops when !TASK_RUNNING; state=2001 set at [<00000000fd63e7cf>] do_nanosleep+0x60/0x1a0 WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0 CPU: 36 PID: 2869 Comm: sleep Tainted: G W 6.2.0-rc2-00011-g1247637727f2 #61 Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV NIP: c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670 REGS: c00000004d2134e0 TRAP: 0700 Tainted: G W (6.2.0-rc2-00011-g1247637727f2) MSR: 9000000000021033 <SF,HV,ME,IR,DR,RI,LE> CR: 48002824 XER: 00000000 CFAR: c00000000013fb64 IRQMASK: 1 The above warning triggered because the current imc-pmu code uses mutex lock in interrupt disabled sections. The function mutex_lock() internally calls __might_resched(), which will check if IRQs are disabled and in case IRQs are disabled, it will trigger the warning. Fix the issue by changing the mutex lock to spinlock. [mpe: Fix comments, trim oops in change log, add reported-by tags] CVE-2023-53031 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm crypt: add cond_resched() to dmcrypt_write() The loop in dmcrypt_write may be running for unbounded amount of time, thus we need cond_resched() in it. This commit fixes the following warning: [ 3391.153255][ C12] watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [dmcrypt_write/2:2897] ... [ 3391.387210][ C12] Call trace: [ 3391.390338][ C12] blk_attempt_bio_merge.part.6+0x38/0x158 [ 3391.395970][ C12] blk_attempt_plug_merge+0xc0/0x1b0 [ 3391.401085][ C12] blk_mq_submit_bio+0x398/0x550 [ 3391.405856][ C12] submit_bio_noacct+0x308/0x380 [ 3391.410630][ C12] dmcrypt_write+0x1e4/0x208 [dm_crypt] [ 3391.416005][ C12] kthread+0x130/0x138 [ 3391.419911][ C12] ret_from_fork+0x10/0x18 CVE-2023-53051 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. CVE-2024-10041 Public Cloud Image google/sles-15-sp5-v20250609-arm64:apparmor-parser-3.0.4-150500.11.18.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libapparmor1-3.0.4-150500.11.18.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:pam-1.3.0-150000.6.76.1 moderate containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2024-40635 Public Cloud Image google/sles-15-sp5-v20250609-arm64:containerd-1.7.27-150000.123.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors. CVE-2024-42307 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) </IRQ> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated--- CVE-2024-46763 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." CVE-2024-47220 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libruby2_5-2_5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-stdlib-2.5.9-150000.4.41.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that this is a general issue, direct users of the set/getsockopt interface can call into targets/matches that were only intended for use with ip(6)tables. Check all UNSPEC matches and targets for similar issues: - matches and targets are fine except if they assume skb_network_header() is valid -- this is only true when called from inet layer: ip(6) stack pulls the ip/ipv6 header into linear data area. - targets that return XT_CONTINUE or other xtables verdicts must be restricted too, they are incompatbile with the ebtables traverser, e.g. EBT_CONTINUE is a completely different value than XT_CONTINUE. Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as they are provided for use by ip(6)tables. The MARK target is also used by arptables, so register for NFPROTO_ARP too. While at it, bail out if connbytes fails to enable the corresponding conntrack family. This change passes the selftests in iptables.git. CVE-2024-50038 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. CVE-2025-21726 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated--- CVE-2025-21812 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410. ---truncated--- CVE-2025-21839 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. CVE-2025-22004 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated--- CVE-2025-22020 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-22029 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse. CVE-2025-22045 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies. CVE-2025-22055 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded. CVE-2025-22097 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 important A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 Public Cloud Image google/sles-15-sp5-v20250609-arm64:cifs-utils-6.15-150400.3.12.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?) CVE-2025-23138 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVE-2025-2588 Public Cloud Image google/sles-15-sp5-v20250609-arm64:augeas-1.12.0-150400.3.8.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:augeas-lenses-1.12.0-150400.3.8.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libaugeas0-1.12.0-150400.3.8.1 low In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. CVE-2025-27219 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libruby2_5-2_5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-stdlib-2.5.9-150000.4.41.1 moderate In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. CVE-2025-27220 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libruby2_5-2_5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-2.5.9-150000.4.41.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:ruby2.5-stdlib-2.5.9-150000.4.41.1 moderate In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. CVE-2025-29087 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libsqlite3-0-3.49.1-150000.3.27.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:sqlite3-tcl-3.49.1-150000.3.27.1 moderate In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. CVE-2025-29088 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libsqlite3-0-3.49.1-150000.3.27.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:sqlite3-tcl-3.49.1-150000.3.27.1 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. CVE-2025-32414 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libxml2-2-2.10.3-150500.5.26.1 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2025-32415 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libxml2-2-2.10.3-150500.5.26.1 low In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. CVE-2025-32728 Public Cloud Image google/sles-15-sp5-v20250609-arm64:openssh-8.4p1-150300.3.49.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:openssh-clients-8.4p1-150300.3.49.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:openssh-common-8.4p1-150300.3.49.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:openssh-server-8.4p1-150300.3.49.1 moderate A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function. CVE-2025-3360 Public Cloud Image google/sles-15-sp5-v20250609-arm64:glib2-tools-2.70.5-150400.3.20.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libgio-2_0-0-2.70.5-150400.3.20.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libglib-2_0-0-2.70.5-150400.3.20.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libgmodule-2_0-0-2.70.5-150400.3.20.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:libgobject-2_0-0-2.70.5-150400.3.20.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised. CVE-2025-39735 Public Cloud Image google/sles-15-sp5-v20250609-arm64:kernel-default-5.14.21-150500.55.103.1 moderate ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVE-2025-47268 Public Cloud Image google/sles-15-sp5-v20250609-arm64:iputils-20221126-150500.3.11.1 moderate setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. CVE-2025-47273 Public Cloud Image google/sles-15-sp5-v20250609-arm64:python3-setuptools-44.1.1-150400.9.12.1 moderate Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). CVE-2025-4802 Public Cloud Image google/sles-15-sp5-v20250609-arm64:glibc-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:glibc-i18ndata-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:glibc-locale-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:glibc-locale-base-2.31-150300.95.1 Public Cloud Image google/sles-15-sp5-v20250609-arm64:nscd-2.31-150300.95.1 important