Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0231-1 Final 1 1 2025-01-24T10:10:55Z current 2025-01-24T10:10:55Z 2025-01-24T10:10:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-53095: smb: client: Fix use-after-free of network namespace (bsc#1233642). - CVE-2024-53146: NFSD: Prevent a potential integer overflow (bsc#1234853). - CVE-2024-53156: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (bsc#1234846). - CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234891). - CVE-2024-53179: smb: client: fix use-after-free of signing key (bsc#1234921). - CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235004). - CVE-2024-53239: ALSA: 6fire: Release resources at card release (bsc#1235054). - CVE-2024-53240: xen/netfront: fix crash when removing device (bsc#1234281). - CVE-2024-53241: x86/xen: use new hypercall functions instead of hypercall page (XSA-466 bsc#1234282). - CVE-2024-56539: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() (bsc#1234963). - CVE-2024-56548: hfsplus: do not query the device logical block size multiple times (bsc#1235073). - CVE-2024-56570: ovl: Filter invalid inodes with missing lookup function (bsc#1235035). - CVE-2024-56598: jfs: array-index-out-of-bounds fix in dtReadFirst (bsc#1235220). - CVE-2024-56604: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() (bsc#1235056). - CVE-2024-56605: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() (bsc#1235061). - CVE-2024-56619: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() (bsc#1235224). - CVE-2024-8805: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE (bsc#1230697). The following non-security bugs were fixed: - KVM: x86: fix sending PV IPI (git-fixes). - idpf: add support for SW triggered interrupts (bsc#1235507). - idpf: enable WB_ON_ITR (bsc#1235507). - idpf: trigger SW interrupt when exiting wb_on_itr mode (bsc#1235507). - kernel-binary: do not BuildIgnore m4. It is actually needed for regenerating zconf when it is not up-to-date due to merge. - kernel/fork: beware of __put_task_struct() calling context (bsc#1189998 (PREEMPT_RT prerequisite backports)). - net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024 (bsc#1235246). - rpm/kernel-binary.spec.in: Fix build regression The previous fix forgot to take over grep -c option that broke the conditional expression - scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error (git-fixes). - smb: client: fix TCP timers deadlock after rmmod (git-fixes) [hcarvalho: this fixes issue discussed in bsc#1233642]. - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes). - x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes). - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes). - x86/fpu: Remove unused supervisor only offsets (git-fixes). - x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes). - x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes). - x86/mce: Allow instrumentation during task work queueing (git-fixes). - x86/mce: Mark mce_end() noinstr (git-fixes). - x86/mce: Mark mce_panic() noinstr (git-fixes). - x86/mce: Mark mce_read_aux() noinstr (git-fixes). - x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes). - x86/sgx: Free backing memory after faulting the enclave page (git-fixes). - x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes). - x86/uaccess: Move variable into switch case statement (git-fixes). - x86: Annotate call_on_stack() (git-fixes). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-231,SUSE-SLE-Micro-5.3-2025-231,SUSE-SLE-Micro-5.4-2025-231 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ Link for SUSE-SU-2025:0231-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020192.html E-Mail link for SUSE-SU-2025:0231-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1170891 SUSE Bug 1170891 https://bugzilla.suse.com/1173139 SUSE Bug 1173139 https://bugzilla.suse.com/1185010 SUSE Bug 1185010 https://bugzilla.suse.com/1189998 SUSE Bug 1189998 https://bugzilla.suse.com/1190358 SUSE Bug 1190358 https://bugzilla.suse.com/1190428 SUSE Bug 1190428 https://bugzilla.suse.com/1191949 SUSE Bug 1191949 https://bugzilla.suse.com/1193983 SUSE Bug 1193983 https://bugzilla.suse.com/1196869 SUSE Bug 1196869 https://bugzilla.suse.com/1200313 SUSE Bug 1200313 https://bugzilla.suse.com/1201308 SUSE Bug 1201308 https://bugzilla.suse.com/1201489 SUSE Bug 1201489 https://bugzilla.suse.com/1209657 SUSE Bug 1209657 https://bugzilla.suse.com/1209798 SUSE Bug 1209798 https://bugzilla.suse.com/1211592 SUSE Bug 1211592 https://bugzilla.suse.com/1215304 SUSE Bug 1215304 https://bugzilla.suse.com/1216702 SUSE Bug 1216702 https://bugzilla.suse.com/1217169 SUSE Bug 1217169 https://bugzilla.suse.com/1218447 SUSE Bug 1218447 https://bugzilla.suse.com/1221044 SUSE Bug 1221044 https://bugzilla.suse.com/1222721 SUSE Bug 1222721 https://bugzilla.suse.com/1222878 SUSE Bug 1222878 https://bugzilla.suse.com/1223481 SUSE Bug 1223481 https://bugzilla.suse.com/1223501 SUSE Bug 1223501 https://bugzilla.suse.com/1223512 SUSE Bug 1223512 https://bugzilla.suse.com/1223520 SUSE Bug 1223520 https://bugzilla.suse.com/1223894 SUSE Bug 1223894 https://bugzilla.suse.com/1223921 SUSE Bug 1223921 https://bugzilla.suse.com/1223922 SUSE Bug 1223922 https://bugzilla.suse.com/1223923 SUSE Bug 1223923 https://bugzilla.suse.com/1223924 SUSE Bug 1223924 https://bugzilla.suse.com/1223929 SUSE Bug 1223929 https://bugzilla.suse.com/1223931 SUSE Bug 1223931 https://bugzilla.suse.com/1223932 SUSE Bug 1223932 https://bugzilla.suse.com/1223934 SUSE Bug 1223934 https://bugzilla.suse.com/1223941 SUSE Bug 1223941 https://bugzilla.suse.com/1223948 SUSE Bug 1223948 https://bugzilla.suse.com/1223952 SUSE Bug 1223952 https://bugzilla.suse.com/1223953 SUSE Bug 1223953 https://bugzilla.suse.com/1223957 SUSE Bug 1223957 https://bugzilla.suse.com/1223962 SUSE Bug 1223962 https://bugzilla.suse.com/1223963 SUSE Bug 1223963 https://bugzilla.suse.com/1223964 SUSE Bug 1223964 https://bugzilla.suse.com/1223996 SUSE Bug 1223996 https://bugzilla.suse.com/1224099 SUSE Bug 1224099 https://bugzilla.suse.com/1224482 SUSE Bug 1224482 https://bugzilla.suse.com/1224511 SUSE Bug 1224511 https://bugzilla.suse.com/1224592 SUSE Bug 1224592 https://bugzilla.suse.com/1224685 SUSE Bug 1224685 https://bugzilla.suse.com/1224730 SUSE Bug 1224730 https://bugzilla.suse.com/1224816 SUSE Bug 1224816 https://bugzilla.suse.com/1224895 SUSE Bug 1224895 https://bugzilla.suse.com/1224898 SUSE Bug 1224898 https://bugzilla.suse.com/1224900 SUSE Bug 1224900 https://bugzilla.suse.com/1224901 SUSE Bug 1224901 https://bugzilla.suse.com/1230697 SUSE Bug 1230697 https://bugzilla.suse.com/1232436 SUSE Bug 1232436 https://bugzilla.suse.com/1233070 SUSE Bug 1233070 https://bugzilla.suse.com/1233642 SUSE Bug 1233642 https://bugzilla.suse.com/1234281 SUSE Bug 1234281 https://bugzilla.suse.com/1234282 SUSE Bug 1234282 https://bugzilla.suse.com/1234846 SUSE Bug 1234846 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234891 SUSE Bug 1234891 https://bugzilla.suse.com/1234921 SUSE Bug 1234921 https://bugzilla.suse.com/1234960 SUSE Bug 1234960 https://bugzilla.suse.com/1234963 SUSE Bug 1234963 https://bugzilla.suse.com/1235004 SUSE Bug 1235004 https://bugzilla.suse.com/1235035 SUSE Bug 1235035 https://bugzilla.suse.com/1235054 SUSE Bug 1235054 https://bugzilla.suse.com/1235056 SUSE Bug 1235056 https://bugzilla.suse.com/1235061 SUSE Bug 1235061 https://bugzilla.suse.com/1235073 SUSE Bug 1235073 https://bugzilla.suse.com/1235220 SUSE Bug 1235220 https://bugzilla.suse.com/1235224 SUSE Bug 1235224 https://bugzilla.suse.com/1235246 SUSE Bug 1235246 https://bugzilla.suse.com/1235507 SUSE Bug 1235507 https://www.suse.com/security/cve/CVE-2020-36788/ SUSE CVE CVE-2020-36788 page https://www.suse.com/security/cve/CVE-2021-4148/ SUSE CVE CVE-2021-4148 page https://www.suse.com/security/cve/CVE-2021-42327/ SUSE CVE CVE-2021-42327 page https://www.suse.com/security/cve/CVE-2021-47202/ SUSE CVE CVE-2021-47202 page https://www.suse.com/security/cve/CVE-2021-47365/ SUSE CVE CVE-2021-47365 page https://www.suse.com/security/cve/CVE-2021-47489/ SUSE CVE CVE-2021-47489 page https://www.suse.com/security/cve/CVE-2021-47491/ SUSE CVE CVE-2021-47491 page https://www.suse.com/security/cve/CVE-2021-47492/ SUSE CVE CVE-2021-47492 page https://www.suse.com/security/cve/CVE-2022-48632/ SUSE CVE CVE-2022-48632 page https://www.suse.com/security/cve/CVE-2022-48634/ SUSE CVE CVE-2022-48634 page https://www.suse.com/security/cve/CVE-2022-48636/ SUSE CVE CVE-2022-48636 page https://www.suse.com/security/cve/CVE-2022-48652/ SUSE CVE CVE-2022-48652 page https://www.suse.com/security/cve/CVE-2022-48671/ SUSE CVE CVE-2022-48671 page https://www.suse.com/security/cve/CVE-2022-48672/ SUSE CVE CVE-2022-48672 page https://www.suse.com/security/cve/CVE-2022-48673/ SUSE CVE CVE-2022-48673 page https://www.suse.com/security/cve/CVE-2022-48675/ SUSE CVE CVE-2022-48675 page https://www.suse.com/security/cve/CVE-2022-48686/ SUSE CVE CVE-2022-48686 page https://www.suse.com/security/cve/CVE-2022-48687/ SUSE CVE CVE-2022-48687 page https://www.suse.com/security/cve/CVE-2022-48688/ SUSE CVE CVE-2022-48688 page https://www.suse.com/security/cve/CVE-2022-48692/ SUSE CVE CVE-2022-48692 page https://www.suse.com/security/cve/CVE-2022-48693/ SUSE CVE CVE-2022-48693 page https://www.suse.com/security/cve/CVE-2022-48694/ SUSE CVE CVE-2022-48694 page https://www.suse.com/security/cve/CVE-2022-48695/ SUSE CVE CVE-2022-48695 page https://www.suse.com/security/cve/CVE-2022-48697/ SUSE CVE CVE-2022-48697 page https://www.suse.com/security/cve/CVE-2022-48699/ SUSE CVE CVE-2022-48699 page https://www.suse.com/security/cve/CVE-2022-48700/ SUSE CVE CVE-2022-48700 page https://www.suse.com/security/cve/CVE-2022-48701/ SUSE CVE CVE-2022-48701 page https://www.suse.com/security/cve/CVE-2022-48702/ SUSE CVE CVE-2022-48702 page https://www.suse.com/security/cve/CVE-2022-48703/ SUSE CVE CVE-2022-48703 page https://www.suse.com/security/cve/CVE-2022-48704/ SUSE CVE CVE-2022-48704 page https://www.suse.com/security/cve/CVE-2022-49035/ SUSE CVE CVE-2022-49035 page https://www.suse.com/security/cve/CVE-2023-0160/ SUSE CVE CVE-2023-0160 page https://www.suse.com/security/cve/CVE-2023-2860/ SUSE CVE CVE-2023-2860 page https://www.suse.com/security/cve/CVE-2023-47233/ SUSE CVE CVE-2023-47233 page https://www.suse.com/security/cve/CVE-2023-52591/ SUSE CVE CVE-2023-52591 page https://www.suse.com/security/cve/CVE-2023-52654/ SUSE CVE CVE-2023-52654 page https://www.suse.com/security/cve/CVE-2023-52655/ SUSE CVE CVE-2023-52655 page https://www.suse.com/security/cve/CVE-2023-52676/ SUSE CVE CVE-2023-52676 page https://www.suse.com/security/cve/CVE-2023-6531/ SUSE CVE CVE-2023-6531 page https://www.suse.com/security/cve/CVE-2024-26764/ SUSE CVE CVE-2024-26764 page https://www.suse.com/security/cve/CVE-2024-35811/ SUSE CVE CVE-2024-35811 page https://www.suse.com/security/cve/CVE-2024-35815/ SUSE CVE CVE-2024-35815 page https://www.suse.com/security/cve/CVE-2024-35895/ SUSE CVE CVE-2024-35895 page https://www.suse.com/security/cve/CVE-2024-35914/ SUSE CVE CVE-2024-35914 page https://www.suse.com/security/cve/CVE-2024-50154/ SUSE CVE CVE-2024-50154 page https://www.suse.com/security/cve/CVE-2024-53095/ SUSE CVE CVE-2024-53095 page https://www.suse.com/security/cve/CVE-2024-53142/ SUSE CVE CVE-2024-53142 page https://www.suse.com/security/cve/CVE-2024-53146/ SUSE CVE CVE-2024-53146 page https://www.suse.com/security/cve/CVE-2024-53156/ SUSE CVE CVE-2024-53156 page https://www.suse.com/security/cve/CVE-2024-53173/ SUSE CVE CVE-2024-53173 page https://www.suse.com/security/cve/CVE-2024-53179/ SUSE CVE CVE-2024-53179 page https://www.suse.com/security/cve/CVE-2024-53206/ SUSE CVE CVE-2024-53206 page https://www.suse.com/security/cve/CVE-2024-53214/ SUSE CVE CVE-2024-53214 page https://www.suse.com/security/cve/CVE-2024-53239/ SUSE CVE CVE-2024-53239 page https://www.suse.com/security/cve/CVE-2024-53240/ SUSE CVE CVE-2024-53240 page https://www.suse.com/security/cve/CVE-2024-53241/ SUSE CVE CVE-2024-53241 page https://www.suse.com/security/cve/CVE-2024-56539/ SUSE CVE CVE-2024-56539 page https://www.suse.com/security/cve/CVE-2024-56548/ SUSE CVE CVE-2024-56548 page https://www.suse.com/security/cve/CVE-2024-56570/ SUSE CVE CVE-2024-56570 page https://www.suse.com/security/cve/CVE-2024-56598/ SUSE CVE CVE-2024-56598 page https://www.suse.com/security/cve/CVE-2024-56604/ SUSE CVE CVE-2024-56604 page https://www.suse.com/security/cve/CVE-2024-56605/ SUSE CVE CVE-2024-56605 page https://www.suse.com/security/cve/CVE-2024-56619/ SUSE CVE CVE-2024-56619 page https://www.suse.com/security/cve/CVE-2024-8805/ SUSE CVE CVE-2024-8805 page SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 cluster-md-kmp-rt-5.14.21-150400.15.106.1 dlm-kmp-rt-5.14.21-150400.15.106.1 gfs2-kmp-rt-5.14.21-150400.15.106.1 kernel-devel-rt-5.14.21-150400.15.106.1 kernel-rt-5.14.21-150400.15.106.1 kernel-rt-devel-5.14.21-150400.15.106.1 kernel-rt-extra-5.14.21-150400.15.106.1 kernel-rt-livepatch-5.14.21-150400.15.106.1 kernel-rt-livepatch-devel-5.14.21-150400.15.106.1 kernel-rt-optional-5.14.21-150400.15.106.1 kernel-rt_debug-5.14.21-150400.15.106.1 kernel-rt_debug-devel-5.14.21-150400.15.106.1 kernel-source-rt-5.14.21-150400.15.106.1 kernel-syms-rt-5.14.21-150400.15.106.1 kselftests-kmp-rt-5.14.21-150400.15.106.1 ocfs2-kmp-rt-5.14.21-150400.15.106.1 reiserfs-kmp-rt-5.14.21-150400.15.106.1 kernel-rt-5.14.21-150400.15.106.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-source-rt-5.14.21-150400.15.106.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-rt-5.14.21-150400.15.106.1 as a component of SUSE Linux Enterprise Micro 5.4 kernel-source-rt-5.14.21-150400.15.106.1 as a component of SUSE Linux Enterprise Micro 5.4 In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: avoid a use-after-free when BO init fails nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code back to the caller. On failures, ttm_bo_init() invokes the provided destructor which should de-initialize and free the memory. Thus, when nouveau_bo_init() returns an error the gem object has already been released and the memory freed by nouveau_bo_del_ttm(). CVE-2020-36788 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2020-36788.html CVE-2020-36788 https://bugzilla.suse.com/1224816 SUSE Bug 1224816 A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem. CVE-2021-4148 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-4148.html CVE-2021-4148 https://bugzilla.suse.com/1193983 SUSE Bug 1193983 dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer. CVE-2021-42327 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-42327.html CVE-2021-42327 https://bugzilla.suse.com/1191949 SUSE Bug 1191949 https://bugzilla.suse.com/1224901 SUSE Bug 1224901 In the Linux kernel, the following vulnerability has been resolved: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() parses the thermal-zones node and registers a thermal_zone device for each subnode. However, if a thermal zone is consuming a thermal sensor and that thermal sensor device hasn't probed yet, an attempt to set trip_point_*_temp for that thermal zone device can cause a NULL pointer dereference. Fix it. console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp ... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... Call trace: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 While at it, fix the possible NULL pointer dereference in other functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). CVE-2021-47202 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-47202.html CVE-2021-47202 https://bugzilla.suse.com/1222878 SUSE Bug 1222878 In the Linux kernel, the following vulnerability has been resolved: afs: Fix page leak There's a loop in afs_extend_writeback() that adds extra pages to a write we want to make to improve the efficiency of the writeback by making it larger. This loop stops, however, if we hit a page we can't write back from immediately, but it doesn't get rid of the page ref we speculatively acquired. This was caused by the removal of the cleanup loop when the code switched from using find_get_pages_contig() to xarray scanning as the latter only gets a single page at a time, not a batch. Fix this by putting the page on a ref on an early break from the loop. Unfortunately, we can't just add that page to the pagevec we're employing as we'll go through that and add those pages to the RPC call. This was found by the generic/074 test. It leaks ~4GiB of RAM each time it is run - which can be observed with "top". CVE-2021-47365 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-47365.html CVE-2021-47365 https://bugzilla.suse.com/1224895 SUSE Bug 1224895 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix even more out of bound writes from debugfs CVE-2021-42327 was fixed by: commit f23750b5b3d98653b31d4469592935ef6364ad67 Author: Thelford Williams <tdwilliamsiv@gmail.com> Date: Wed Oct 13 16:04:13 2021 -0400 drm/amdgpu: fix out of bounds write but amdgpu_dm_debugfs.c contains more of the same issue so fix the remaining ones. v2: * Add missing fix in dp_max_bpc_write (Harry Wentland) CVE-2021-47489 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-47489.html CVE-2021-47489 https://bugzilla.suse.com/1224901 SUSE Bug 1224901 In the Linux kernel, the following vulnerability has been resolved: mm: khugepaged: skip huge page collapse for special files The read-only THP for filesystems will collapse THP for files opened readonly and mapped with VM_EXEC. The intended usecase is to avoid TLB misses for large text segments. But it doesn't restrict the file types so a THP could be collapsed for a non-regular file, for example, block device, if it is opened readonly and mapped with EXEC permission. This may cause bugs, like [1] and [2]. This is definitely not the intended usecase, so just collapse THP for regular files in order to close the attack surface. [shy828301@gmail.com: fix vm_file check [3]] CVE-2021-47491 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-47491.html CVE-2021-47491 https://bugzilla.suse.com/1224900 SUSE Bug 1224900 In the Linux kernel, the following vulnerability has been resolved: mm, thp: bail out early in collapse_file for writeback page Currently collapse_file does not explicitly check PG_writeback, instead, page_has_private and try_to_release_page are used to filter writeback pages. This does not work for xfs with blocksize equal to or larger than pagesize, because in such case xfs has no page->private. This makes collapse_file bail out early for writeback page. Otherwise, xfs end_page_writeback will panic as follows. page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32 aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so" flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback) raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8 raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) page->mem_cgroup:ffff0000c3e9a000 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1212! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: BUG: Bad page state in process khugepaged pfn:84ef32 xfs(E) page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32 libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ... CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ... pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) Call trace: end_page_writeback+0x1c0/0x214 iomap_finish_page_writeback+0x13c/0x204 iomap_finish_ioend+0xe8/0x19c iomap_writepage_end_bio+0x38/0x50 bio_endio+0x168/0x1ec blk_update_request+0x278/0x3f0 blk_mq_end_request+0x34/0x15c virtblk_request_done+0x38/0x74 [virtio_blk] blk_done_softirq+0xc4/0x110 __do_softirq+0x128/0x38c __irq_exit_rcu+0x118/0x150 irq_exit+0x1c/0x30 __handle_domain_irq+0x8c/0xf0 gic_handle_irq+0x84/0x108 el1_irq+0xcc/0x180 arch_cpu_idle+0x18/0x40 default_idle_call+0x4c/0x1a0 cpuidle_idle_call+0x168/0x1e0 do_idle+0xb4/0x104 cpu_startup_entry+0x30/0x9c secondary_start_kernel+0x104/0x180 Code: d4210000 b0006161 910c8021 94013f4d (d4210000) ---[ end trace 4a88c6a074082f8c ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt CVE-2021-47492 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2021-47492.html CVE-2021-47492 https://bugzilla.suse.com/1224898 SUSE Bug 1224898 In the Linux kernel, the following vulnerability has been resolved: i2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction() memcpy() is called in a loop while 'operation->length' upper bound is not checked and 'data_idx' also increments. CVE-2022-48632 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48632.html CVE-2022-48632 https://bugzilla.suse.com/1223481 SUSE Bug 1223481 In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix BUG: sleeping function called from invalid context errors gma_crtc_page_flip() was holding the event_lock spinlock while calling crtc_funcs->mode_set_base() which takes ww_mutex. The only reason to hold event_lock is to clear gma_crtc->page_flip_event on mode_set_base() errors. Instead unlock it after setting gma_crtc->page_flip_event and on errors re-take the lock and clear gma_crtc->page_flip_event it it is still set. This fixes the following WARN/stacktrace: [ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870 [ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell [ 512.123031] preempt_count: 1, expected: 0 [ 512.123048] RCU nest depth: 0, expected: 0 [ 512.123066] INFO: lockdep is turned off. [ 512.123080] irq event stamp: 0 [ 512.123094] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 512.123134] hardirqs last disabled at (0): [<ffffffff8d0ec28c>] copy_process+0x9fc/0x1de0 [ 512.123176] softirqs last enabled at (0): [<ffffffff8d0ec28c>] copy_process+0x9fc/0x1de0 [ 512.123207] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 512.123233] Preemption disabled at: [ 512.123241] [<0000000000000000>] 0x0 [ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1 [ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013 [ 512.123323] Call Trace: [ 512.123346] <TASK> [ 512.123370] dump_stack_lvl+0x5b/0x77 [ 512.123412] __might_resched.cold+0xff/0x13a [ 512.123458] ww_mutex_lock+0x1e/0xa0 [ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx] [ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx] [ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx] [ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0 [ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10 [ 512.123936] drm_ioctl_kernel+0xa1/0x150 [ 512.123984] drm_ioctl+0x21f/0x420 [ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10 [ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60 [ 512.124104] ? lock_release+0x1ef/0x2d0 [ 512.124161] __x64_sys_ioctl+0x8d/0xd0 [ 512.124203] do_syscall_64+0x58/0x80 [ 512.124239] ? do_syscall_64+0x67/0x80 [ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0 [ 512.124300] ? do_syscall_64+0x67/0x80 [ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80 [ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 512.124411] RIP: 0033:0x7fcc4a70740f [ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f [ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009 [ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034 [ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0 [ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0 [ 512.124647] </TASK> CVE-2022-48634 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48634.html CVE-2022-48634 https://bugzilla.suse.com/1223501 SUSE Bug 1223501 In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup pointer being NULL. The pavgroup pointer is checked on the entrance of the function but without the lcu->lock being held. Therefore there is a race window between dasd_alias_get_start_dev() and _lcu_update() which sets pavgroup to NULL with the lcu->lock held. Fix by checking the pavgroup pointer with lcu->lock held. CVE-2022-48636 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48636.html CVE-2022-48636 https://bugzilla.suse.com/1223512 SUSE Bug 1223512 In the Linux kernel, the following vulnerability has been resolved: ice: Fix crash by keep old cfg when update TCs more than queues There are problems if allocated queues less than Traffic Classes. Commit a632b2a4c920 ("ice: ethtool: Prohibit improper channel config for DCB") already disallow setting less queues than TCs. Another case is if we first set less queues, and later update more TCs config due to LLDP, ice_vsi_cfg_tc() will failed but left dirty num_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access. [ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated. [ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)! [ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0 [ 95.969621] general protection fault: 0000 [#1] SMP NOPTI [ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1 [ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021 [ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60 [ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c [ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206 [ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0 [ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200 [ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000 [ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100 [ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460 [ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000 [ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0 [ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 95.971530] PKRU: 55555554 [ 95.971573] Call Trace: [ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice] [ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice] [ 95.971774] ice_vsi_open+0x25/0x120 [ice] [ 95.971843] ice_open_internal+0xb8/0x1f0 [ice] [ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice] [ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice] [ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice] [ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice] [ 95.972220] dcbnl_ieee_set+0x89/0x230 [ 95.972279] ? dcbnl_ieee_del+0x150/0x150 [ 95.972341] dcb_doit+0x124/0x1b0 [ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0 [ 95.972457] ? dcb_doit+0x14d/0x1b0 [ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280 [ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100 [ 95.972661] netlink_rcv_skb+0xcf/0xf0 [ 95.972720] netlink_unicast+0x16d/0x220 [ 95.972781] netlink_sendmsg+0x2ba/0x3a0 [ 95.975891] sock_sendmsg+0x4c/0x50 [ 95.979032] ___sys_sendmsg+0x2e4/0x300 [ 95.982147] ? kmem_cache_alloc+0x13e/0x190 [ 95.985242] ? __wake_up_common_lock+0x79/0x90 [ 95.988338] ? __check_object_size+0xac/0x1b0 [ 95.991440] ? _copy_to_user+0x22/0x30 [ 95.994539] ? move_addr_to_user+0xbb/0xd0 [ 95.997619] ? __sys_sendmsg+0x53/0x80 [ 96.000664] __sys_sendmsg+0x53/0x80 [ 96.003747] do_syscall_64+0x5b/0x1d0 [ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca Only update num_txq/rxq when passed check, and restore tc_cfg if setup queue map failed. CVE-2022-48652 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48652.html CVE-2022-48652 https://bugzilla.suse.com/1223520 SUSE Bug 1223520 In the Linux kernel, the following vulnerability has been resolved: cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that cpuset_attach() is also called from cgroup_attach_task_all(). Add cpus_read_lock() like what cgroup_procs_write_start() does. CVE-2022-48671 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48671.html CVE-2022-48671 https://bugzilla.suse.com/1223929 SUSE Bug 1223929 In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. CVE-2022-48672 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48672.html CVE-2022-48672 https://bugzilla.suse.com/1223931 SUSE Bug 1223931 In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20 CVE-2022-48673 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48673.html CVE-2022-48673 https://bugzilla.suse.com/1223934 SUSE Bug 1223934 https://bugzilla.suse.com/1223940 SUSE Bug 1223940 In the Linux kernel, the following vulnerability has been resolved: IB/core: Fix a nested dead lock as part of ODP flow Fix a nested dead lock as part of ODP flow by using mmput_async(). From the below call trace [1] can see that calling mmput() once we have the umem_odp->umem_mutex locked as required by ib_umem_odp_map_dma_and_lock() might trigger in the same task the exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which may dead lock when trying to lock the same mutex. Moving to use mmput_async() will solve the problem as the above exit_mmap() flow will be called in other task and will be executed once the lock will be available. [1] [64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid: 2 flags:0x00004000 [64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib] [64843.077719] Call Trace: [64843.077722] <TASK> [64843.077724] __schedule+0x23d/0x590 [64843.077729] schedule+0x4e/0xb0 [64843.077735] schedule_preempt_disabled+0xe/0x10 [64843.077740] __mutex_lock.constprop.0+0x263/0x490 [64843.077747] __mutex_lock_slowpath+0x13/0x20 [64843.077752] mutex_lock+0x34/0x40 [64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib] [64843.077808] __mmu_notifier_release+0x1a4/0x200 [64843.077816] exit_mmap+0x1bc/0x200 [64843.077822] ? walk_page_range+0x9c/0x120 [64843.077828] ? __cond_resched+0x1a/0x50 [64843.077833] ? mutex_lock+0x13/0x40 [64843.077839] ? uprobe_clear_state+0xac/0x120 [64843.077860] mmput+0x5f/0x140 [64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core] [64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib] [64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib] [64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560 [mlx5_ib] [64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib] [64843.078051] process_one_work+0x22b/0x3d0 [64843.078059] worker_thread+0x53/0x410 [64843.078065] ? process_one_work+0x3d0/0x3d0 [64843.078073] kthread+0x12a/0x150 [64843.078079] ? set_kthread_struct+0x50/0x50 [64843.078085] ret_from_fork+0x22/0x30 [64843.078093] </TASK> CVE-2022-48675 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48675.html CVE-2022-48675 https://bugzilla.suse.com/1223894 SUSE Bug 1223894 In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix UAF when detecting digest errors We should also bail from the io_work loop when we set rd_enabled to true, so we don't attempt to read data from the socket when the TCP stream is already out-of-sync or corrupted. CVE-2022-48686 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48686.html CVE-2022-48686 https://bugzilla.suse.com/1223948 SUSE Bug 1223948 https://bugzilla.suse.com/1226337 SUSE Bug 1226337 In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET. CVE-2022-48687 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48687.html CVE-2022-48687 https://bugzilla.suse.com/1223952 SUSE Bug 1223952 https://bugzilla.suse.com/1224043 SUSE Bug 1224043 In the Linux kernel, the following vulnerability has been resolved: i40e: Fix kernel crash during module removal The driver incorrectly frees client instance and subsequent i40e module removal leads to kernel crash. Reproducer: 1. Do ethtool offline test followed immediately by another one host# ethtool -t eth0 offline; ethtool -t eth0 offline 2. Remove recursively irdma module that also removes i40e module host# modprobe -r irdma Result: [ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished [ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished [ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110 [ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2 [ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01 [ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1 [ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 8687.768755] #PF: supervisor read access in kernel mode [ 8687.773895] #PF: error_code(0x0000) - not-present page [ 8687.779034] PGD 0 P4D 0 [ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2 [ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019 [ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] [ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b [ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 [ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000 [ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 [ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000 [ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 [ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008 [ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000 [ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 [ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 8687.905572] PKRU: 55555554 [ 8687.908286] Call Trace: [ 8687.910737] <TASK> [ 8687.912843] i40e_remove+0x2c0/0x330 [i40e] [ 8687.917040] pci_device_remove+0x33/0xa0 [ 8687.920962] device_release_driver_internal+0x1aa/0x230 [ 8687.926188] driver_detach+0x44/0x90 [ 8687.929770] bus_remove_driver+0x55/0xe0 [ 8687.933693] pci_unregister_driver+0x2a/0xb0 [ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this failure is indicated back to i40e_client_subtask() that calls i40e_client_del_instance() to free client instance referenced by pf->cinst and sets this pointer to NULL. During the module removal i40e_remove() calls i40e_lan_del_device() that dereferences pf->cinst that is NULL -> crash. Do not remove client instance when client open callbacks fails and just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs to take care about this situation (when netdev is up and client is NOT opened) in i40e_notify_client_of_netdev_close() and calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED is set. CVE-2022-48688 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48688.html CVE-2022-48688 https://bugzilla.suse.com/1223953 SUSE Bug 1223953 In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Set scmnd->result only when scmnd is not NULL This change fixes the following kernel NULL pointer dereference which is reproduced by blktests srp/007 occasionally. BUG: kernel NULL pointer dereference, address: 0000000000000170 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014 Workqueue: 0x0 (kblockd) RIP: 0010:srp_recv_done+0x176/0x500 [ib_srp] Code: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9 RSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282 RAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000 RDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff RBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001 R10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000 R13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0 Call Trace: <IRQ> __ib_process_cq+0xb7/0x280 [ib_core] ib_poll_handler+0x2b/0x130 [ib_core] irq_poll_softirq+0x93/0x150 __do_softirq+0xee/0x4b8 irq_exit_rcu+0xf7/0x130 sysvec_apic_timer_interrupt+0x8e/0xc0 </IRQ> CVE-2022-48692 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48692.html CVE-2022-48692 https://bugzilla.suse.com/1223962 SUSE Bug 1223962 In the Linux kernel, the following vulnerability has been resolved: soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs In brcmstb_pm_probe(), there are two kinds of leak bugs: (1) we need to add of_node_put() when for_each__matching_node() breaks (2) we need to add iounmap() for each iomap in fail path CVE-2022-48693 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48693.html CVE-2022-48693 https://bugzilla.suse.com/1223963 SUSE Bug 1223963 In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix drain SQ hang with no completion SW generated completions for outstanding WRs posted on SQ after QP is in error target the wrong CQ. This causes the ib_drain_sq to hang with no completion. Fix this to generate completions on the right CQ. [ 863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds. [ 863.979224] Not tainted 5.14.0-130.el9.x86_64 #1 [ 863.986588] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 863.996997] task:kworker/u52:2 state:D stack: 0 pid: 671 ppid: 2 flags:0x00004000 [ 864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc] [ 864.014056] Call Trace: [ 864.017575] __schedule+0x206/0x580 [ 864.022296] schedule+0x43/0xa0 [ 864.026736] schedule_timeout+0x115/0x150 [ 864.032185] __wait_for_common+0x93/0x1d0 [ 864.037717] ? usleep_range_state+0x90/0x90 [ 864.043368] __ib_drain_sq+0xf6/0x170 [ib_core] [ 864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core] [ 864.056240] ib_drain_sq+0x66/0x70 [ib_core] [ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma] [ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc] [ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma] [ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc] [ 864.088718] process_one_work+0x1e8/0x3c0 [ 864.094170] worker_thread+0x50/0x3b0 [ 864.099109] ? rescuer_thread+0x370/0x370 [ 864.104473] kthread+0x149/0x170 [ 864.109022] ? set_kthread_struct+0x40/0x40 [ 864.114713] ret_from_fork+0x22/0x30 CVE-2022-48694 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48694.html CVE-2022-48694 https://bugzilla.suse.com/1223964 SUSE Bug 1223964 In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use-after-free warning Fix the following use-after-free warning which is observed during controller reset: refcount_t: underflow; use-after-free. WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 CVE-2022-48695 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48695.html CVE-2022-48695 https://bugzilla.suse.com/1223941 SUSE Bug 1223941 In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a use-after-free Fix the following use-after-free complaint triggered by blktests nvme/004: BUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350 Read of size 4 at addr 0000607bd1835943 by task kworker/13:1/460 Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] Call Trace: show_stack+0x52/0x58 dump_stack_lvl+0x49/0x5e print_report.cold+0x36/0x1e2 kasan_report+0xb9/0xf0 __asan_load4+0x6b/0x80 blk_mq_complete_request_remote+0xac/0x350 nvme_loop_queue_response+0x1df/0x275 [nvme_loop] __nvmet_req_complete+0x132/0x4f0 [nvmet] nvmet_req_complete+0x15/0x40 [nvmet] nvmet_execute_io_connect+0x18a/0x1f0 [nvmet] nvme_loop_execute_work+0x20/0x30 [nvme_loop] process_one_work+0x56e/0xa70 worker_thread+0x2d1/0x640 kthread+0x183/0x1c0 ret_from_fork+0x1f/0x30 CVE-2022-48697 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48697.html CVE-2022-48697 https://bugzilla.suse.com/1223922 SUSE Bug 1223922 In the Linux kernel, the following vulnerability has been resolved: sched/debug: fix dentry leak in update_sched_domain_debugfs Kuyo reports that the pattern of using debugfs_remove(debugfs_lookup()) leaks a dentry and with a hotplug stress test, the machine eventually runs out of memory. Fix this up by using the newly created debugfs_lookup_and_remove() call instead which properly handles the dentry reference counting logic. CVE-2022-48699 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48699.html CVE-2022-48699 https://bugzilla.suse.com/1223996 SUSE Bug 1223996 ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48700 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48700.html CVE-2022-48700 https://bugzilla.suse.com/1223957 SUSE Bug 1223957 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces. CVE-2022-48701 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48701.html CVE-2022-48701 https://bugzilla.suse.com/1223921 SUSE Bug 1223921 In the Linux kernel, the following vulnerability has been resolved: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the newly allocated voices as if it never wrapped around. This results in out of bounds access if the first voice has a high enough index so that first_voice + requested_voice_count > NUM_G (64). The more voices are requested, the more likely it is for this to occur. This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold+0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90 ? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2022-48702 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48702.html CVE-2022-48702 https://bugzilla.suse.com/1223923 SUSE Bug 1223923 In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault. CVE-2022-48703 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48703.html CVE-2022-48703 https://bugzilla.suse.com/1223924 SUSE Bug 1223924 In the Linux kernel, the following vulnerability has been resolved: drm/radeon: add a force flush to delay work when radeon Although radeon card fence and wait for gpu to finish processing current batch rings, there is still a corner case that radeon lockup work queue may not be fully flushed, and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to put device in D3hot state. Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State. > Configuration and Message requests are the only TLPs accepted by a Function in > the D3hot state. All other received Requests must be handled as Unsupported Requests, > and all received Completions may optionally be handled as Unexpected Completions. This issue will happen in following logs: Unable to handle kernel paging request at virtual address 00008800e0008010 CPU 0 kworker/0:3(131): Oops 0 pc = [<ffffffff811bea5c>] ra = [<ffffffff81240844>] ps = 0000 Tainted: G W pc is at si_gpu_check_soft_reset+0x3c/0x240 ra is at si_dma_is_lockup+0x34/0xd0 v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000 t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258 t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000 s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018 s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000 s6 = fff00007ef07bd98 a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008 a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338 t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800 t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000 gp = ffffffff81d89690 sp = 00000000aa814126 Disabling lock debugging due to kernel taint Trace: [<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0 [<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290 [<ffffffff80977010>] process_one_work+0x280/0x550 [<ffffffff80977350>] worker_thread+0x70/0x7c0 [<ffffffff80977410>] worker_thread+0x130/0x7c0 [<ffffffff80982040>] kthread+0x200/0x210 [<ffffffff809772e0>] worker_thread+0x0/0x7c0 [<ffffffff80981f8c>] kthread+0x14c/0x210 [<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20 [<ffffffff80981e40>] kthread+0x0/0x210 Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101 <88210000> 4821ed21 So force lockup work queue flush to fix this problem. CVE-2022-48704 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-48704.html CVE-2022-48704 https://bugzilla.suse.com/1223932 SUSE Bug 1223932 In the Linux kernel, the following vulnerability has been resolved: media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. CVE-2022-49035 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2022-49035.html CVE-2022-49035 https://bugzilla.suse.com/1215304 SUSE Bug 1215304 https://bugzilla.suse.com/1235013 SUSE Bug 1235013 A deadlock flaw was found in the Linux kernel's BPF subsystem. This flaw allows a local user to potentially crash the system. CVE-2023-0160 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-0160.html CVE-2023-0160 https://bugzilla.suse.com/1209657 SUSE Bug 1209657 An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel. CVE-2023-2860 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-2860.html CVE-2023-2860 https://bugzilla.suse.com/1211592 SUSE Bug 1211592 The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. CVE-2023-47233 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-47233.html CVE-2023-47233 https://bugzilla.suse.com/1216702 SUSE Bug 1216702 https://bugzilla.suse.com/1224592 SUSE Bug 1224592 In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem. CVE-2023-52591 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-52591.html CVE-2023-52591 https://bugzilla.suse.com/1221044 SUSE Bug 1221044 https://bugzilla.suse.com/1221578 SUSE Bug 1221578 https://bugzilla.suse.com/1221598 SUSE Bug 1221598 In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: disable sending io_uring over sockets File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary. CVE-2023-52654 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-52654.html CVE-2023-52654 https://bugzilla.suse.com/1224099 SUSE Bug 1224099 In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0 and sizeof(u64) the value passed to skb_trim() as length will wrap around ending up as some very large value. The driver will then proceed to parse the header located at that position, which will either oops or process some random value. The fix is to check against sizeof(u64) rather than 0, which the driver currently does. The issue exists since the introduction of the driver. CVE-2023-52655 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-52655.html CVE-2023-52655 https://bugzilla.suse.com/1217169 SUSE Bug 1217169 In the Linux kernel, the following vulnerability has been resolved: bpf: Guard stack limits against 32bit overflow This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904 CVE-2023-52676 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-52676.html CVE-2023-52676 https://bugzilla.suse.com/1224730 SUSE Bug 1224730 https://bugzilla.suse.com/1226336 SUSE Bug 1226336 A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6531 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2023-6531.html CVE-2023-6531 https://bugzilla.suse.com/1218447 SUSE Bug 1218447 https://bugzilla.suse.com/1218487 SUSE Bug 1218487 In the Linux kernel, the following vulnerability has been resolved: fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the following kernel warning appears: WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is submitted by libaio. CVE-2024-26764 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-26764.html CVE-2024-26764 https://bugzilla.suse.com/1222721 SUSE Bug 1222721 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free] CVE-2024-35811 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-35811.html CVE-2024-35811 https://bugzilla.suse.com/1224592 SUSE Bug 1224592 In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb that is not embedded inside struct aio_kiocb. With the current code, depending on the compiler, the req->ki_ctx read happens either before the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such that it is guaranteed that the IOCB_AIO_RW test happens first. CVE-2024-35815 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-35815.html CVE-2024-35815 https://bugzilla.suse.com/1224685 SUSE Bug 1224685 In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem operation must be hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock); <Interrupt> lock(&host->lock); Locks in sockmap are hardirq-unsafe by design. We expects elements to be deleted from sockmap/sockhash only in task (normal) context with interrupts enabled, or in softirq context. Detect when map_delete_elem operation is invoked from a context which is _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an error. Note that map updates are not affected by this issue. BPF verifier does not allow updating sockmap/sockhash from a BPF tracing program today. CVE-2024-35895 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-35895.html CVE-2024-35895 https://bugzilla.suse.com/1224511 SUSE Bug 1224511 In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix error cleanup path in nfsd_rename() Commit a8b0026847b8 ("rename(): avoid a deadlock in the case of parents having no common ancestor") added an error bail out path. However this path does not drop the remount protection that has been acquired. Fix the cleanup path to properly drop the remount protection. CVE-2024-35914 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-35914.html CVE-2024-35914 https://bugzilla.suse.com/1224482 SUSE Bug 1224482 In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb CVE-2024-50154 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-50154.html CVE-2024-50154 https://bugzilla.suse.com/1233070 SUSE Bug 1233070 https://bugzilla.suse.com/1233072 SUSE Bug 1233072 In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free of network namespace. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated--- CVE-2024-53095 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53095.html CVE-2024-53095 https://bugzilla.suse.com/1233642 SUSE Bug 1233642 In the Linux kernel, the following vulnerability has been resolved: initramfs: avoid filename buffer overrun The initramfs filename field is defined in Documentation/driver-api/early-userspace/buffer-format.rst as: 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data ... 55 ============= ================== ========================= 56 Field name Field size Meaning 57 ============= ================== ========================= ... 70 c_namesize 8 bytes Length of filename, including final \0 When extracting an initramfs cpio archive, the kernel's do_name() path handler assumes a zero-terminated path at @collected, passing it directly to filp_open() / init_mkdir() / init_mknod(). If a specially crafted cpio entry carries a non-zero-terminated filename and is followed by uninitialized memory, then a file may be created with trailing characters that represent the uninitialized memory. The ability to create an initramfs entry would imply already having full control of the system, so the buffer overrun shouldn't be considered a security vulnerability. Append the output of the following bash script to an existing initramfs and observe any created /initramfs_test_fname_overrunAA* path. E.g. ./reproducer.sh | gzip >> /myinitramfs It's easiest to observe non-zero uninitialized memory when the output is gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(), rather than the initrd_start+initrd_size block. ---- reproducer.sh ---- nilchar="A" # change to "\0" to properly zero terminate / pad magic="070701" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname="initramfs_test_fname_overrun" namelen=$(( ${#fname} + 1 )) # plus one to account for terminator printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \ $magic $ino $mode $uid $gid $nlink $mtime $filesize \ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) )) printf "%.s${nilchar}" $(seq 1 $termpadlen) ---- reproducer.sh ---- Symlink filename fields handled in do_symlink() won't overrun past the data segment, due to the explicit zero-termination of the symlink target. Fix filename buffer overrun by aborting the initramfs FSM if any cpio entry doesn't carry a zero-terminator at the expected (name_len - 1) offset. CVE-2024-53142 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53142.html CVE-2024-53142 https://bugzilla.suse.com/1232436 SUSE Bug 1232436 In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. CVE-2024-53146 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53146.html CVE-2024-53146 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234854 SUSE Bug 1234854 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: <TASK> dump_stack_lvl+0x180/0x1b0 __ubsan_handle_out_of_bounds+0xd4/0x130 htc_issue_send.constprop.0+0x20c/0x230 ? _raw_spin_unlock_irqrestore+0x3c/0x70 ath9k_wmi_cmd+0x41d/0x610 ? mark_held_locks+0x9f/0xe0 ... Since this bug has been confirmed to be caused by insufficient verification of conn_rsp_epid, I think it would be appropriate to add a range check for conn_rsp_epid to htc_connect_service() to prevent the bug from occurring. CVE-2024-53156 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53156.html CVE-2024-53156 https://bugzilla.suse.com/1234846 SUSE Bug 1234846 https://bugzilla.suse.com/1234847 SUSE Bug 1234847 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed. CVE-2024-53173 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53173.html CVE-2024-53173 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234891 SUSE Bug 1234891 https://bugzilla.suse.com/1234892 SUSE Bug 1234892 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free of signing key Customers have reported use-after-free in @ses->auth_key.response with SMB2.1 + sign mounts which occurs due to following race: task A task B cifs_mount() dfs_mount_share() get_session() cifs_mount_get_session() cifs_send_recv() cifs_get_smb_ses() compound_send_recv() cifs_setup_session() smb2_setup_request() kfree_sensitive() smb2_calc_signature() crypto_shash_setkey() *UAF* Fix this by ensuring that we have a valid @ses->auth_key.response by checking whether @ses->ses_status is SES_GOOD or SES_EXITING with @ses->ses_lock held. After commit 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()"), we made sure to call ->logoff() only when @ses was known to be good (e.g. valid ->auth_key.response), so it's safe to access signing key when @ses->ses_status == SES_EXITING. CVE-2024-53179 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53179.html CVE-2024-53179 https://bugzilla.suse.com/1234921 SUSE Bug 1234921 https://bugzilla.suse.com/1234927 SUSE Bug 1234927 In the Linux kernel, the following vulnerability has been resolved: tcp: Fix use-after-free of nreq in reqsk_timer_handler(). The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with __inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler(). Then, oreq should be passed to reqsk_put() instead of req; otherwise use-after-free of nreq could happen when reqsk is migrated but the retry attempt failed (e.g. due to timeout). Let's pass oreq to reqsk_put(). CVE-2024-53206 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53206.html CVE-2024-53206 https://bugzilla.suse.com/1234960 SUSE Bug 1234960 In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-53214 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53214.html CVE-2024-53214 https://bugzilla.suse.com/1235004 SUSE Bug 1235004 https://bugzilla.suse.com/1235005 SUSE Bug 1235005 In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. CVE-2024-53239 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53239.html CVE-2024-53239 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235054 SUSE Bug 1235054 https://bugzilla.suse.com/1235055 SUSE Bug 1235055 In the Linux kernel, the following vulnerability has been resolved: xen/netfront: fix crash when removing device When removing a netfront device directly after a suspend/resume cycle it might happen that the queues have not been setup again, causing a crash during the attempt to stop the queues another time. Fix that by checking the queues are existing before trying to stop them. This is XSA-465 / CVE-2024-53240. CVE-2024-53240 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53240.html CVE-2024-53240 https://bugzilla.suse.com/1234281 SUSE Bug 1234281 In the Linux kernel, the following vulnerability has been resolved: x86/xen: don't do PV iret hypercall through hypercall page Instead of jumping to the Xen hypercall page for doing the iret hypercall, directly code the required sequence in xen-asm.S. This is done in preparation of no longer using hypercall page at all, as it has shown to cause problems with speculation mitigations. This is part of XSA-466 / CVE-2024-53241. CVE-2024-53241 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-53241.html CVE-2024-53241 https://bugzilla.suse.com/1234282 SUSE Bug 1234282 In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Replace one-element array with a flexible-array member in `struct mwifiex_ie_types_wildcard_ssid_params` to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana): [ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like: ssid_len = user_scan_in->ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv->ssid, user_scan_in->ssid_list[i].ssid, ssid_len); There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed. CVE-2024-56539 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56539.html CVE-2024-56539 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234963 SUSE Bug 1234963 https://bugzilla.suse.com/1234964 SUSE Bug 1234964 In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] <TASK> [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: ---truncated--- CVE-2024-56548 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56548.html CVE-2024-56548 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235073 SUSE Bug 1235073 https://bugzilla.suse.com/1235074 SUSE Bug 1235074 In the Linux kernel, the following vulnerability has been resolved: ovl: Filter invalid inodes with missing lookup function Add a check to the ovl_dentry_weird() function to prevent the processing of directory inodes that lack the lookup function. This is important because such inodes can cause errors in overlayfs when passed to the lowerstack. CVE-2024-56570 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56570.html CVE-2024-56570 https://bugzilla.suse.com/1235035 SUSE Bug 1235035 In the Linux kernel, the following vulnerability has been resolved: jfs: array-index-out-of-bounds fix in dtReadFirst The value of stbl can be sometimes out of bounds due to a bad filesystem. Added a check with appopriate return of error code in that case. CVE-2024-56598 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56598.html CVE-2024-56598 https://bugzilla.suse.com/1235220 SUSE Bug 1235220 https://bugzilla.suse.com/1235221 SUSE Bug 1235221 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). CVE-2024-56604 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56604.html CVE-2024-56604 https://bugzilla.suse.com/1235056 SUSE Bug 1235056 https://bugzilla.suse.com/1235058 SUSE Bug 1235058 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. CVE-2024-56605 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56605.html CVE-2024-56605 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235061 SUSE Bug 1235061 https://bugzilla.suse.com/1235062 SUSE Bug 1235062 In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required. CVE-2024-56619 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-56619.html CVE-2024-56619 https://bugzilla.suse.com/1235224 SUSE Bug 1235224 https://bugzilla.suse.com/1235225 SUSE Bug 1235225 BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177. CVE-2024-8805 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.106.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.106.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250231-1/ https://www.suse.com/security/cve/CVE-2024-8805.html CVE-2024-8805 https://bugzilla.suse.com/1230697 SUSE Bug 1230697