Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02852-1 Final 1 1 2025-08-18T15:58:13Z current 2025-08-18T15:58:13Z 2025-08-18T15:58:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49138: Bluetooth: hci_event: Fix checking conn for le_conn_complete_evt (bsc#1238160). - CVE-2023-52923: netfilter: nf_tables: split async and sync catchall in two functions (bsc#1236104). - CVE-2023-52927: netfilter: allow exp not to be removed in nf_ct_find_expectation (bsc#1239644). - CVE-2024-26643: Fixed mark set as dead when unbinding anonymous set with timeout (bsc#1221829). - CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (bsc#1233551). - CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1234863). - CVE-2025-21701: net: avoid race between device unregistration and ethnl ops (bsc#1237164). - CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1240799). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept (bsc#1245217). - CVE-2025-38181: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (bsc#1246000). - CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045). - CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073). - CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029). - CVE-2025-38213: vgacon: Add check for vc_origin address range in vgacon_scroll() (bsc#1246037). - CVE-2025-38257: s390/pkey: Prevent overflow in size calculation for memdup_user() (bsc#1246186). - CVE-2025-38289: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1246287). - CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781). - CVE-2025-38468: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (bsc#1247437). - CVE-2025-38477: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (bsc#1247314). - CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247349). - CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247348). - CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347). The following non-security bugs were fixed: - Revert 'hugetlb: unshare some PMDs when splitting VMAs' (bsc#1245431). - Revert 'mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race' - Revert 'mm/hugetlb: unshare page tables during VMA split, not before' - bnxt_en: Fix GSO type for HW GRO packets on 5750X chips (bsc#1244523). - net: usb: usbnet: restore usb%d name exception for local mac addresses (bsc#1234480 bsc#1246555). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro/rt-5.5:latest-2025-2852,SUSE-2025-2852,SUSE-SLE-Micro-5.5-2025-2852 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ Link for SUSE-SU-2025:02852-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041256.html E-Mail link for SUSE-SU-2025:02852-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1206051 SUSE Bug 1206051 https://bugzilla.suse.com/1221829 SUSE Bug 1221829 https://bugzilla.suse.com/1233551 SUSE Bug 1233551 https://bugzilla.suse.com/1234480 SUSE Bug 1234480 https://bugzilla.suse.com/1234863 SUSE Bug 1234863 https://bugzilla.suse.com/1236104 SUSE Bug 1236104 https://bugzilla.suse.com/1236333 SUSE Bug 1236333 https://bugzilla.suse.com/1237164 SUSE Bug 1237164 https://bugzilla.suse.com/1238160 SUSE Bug 1238160 https://bugzilla.suse.com/1239644 SUSE Bug 1239644 https://bugzilla.suse.com/1240799 SUSE Bug 1240799 https://bugzilla.suse.com/1242414 SUSE Bug 1242414 https://bugzilla.suse.com/1242417 SUSE Bug 1242417 https://bugzilla.suse.com/1244309 SUSE Bug 1244309 https://bugzilla.suse.com/1244523 SUSE Bug 1244523 https://bugzilla.suse.com/1245217 SUSE Bug 1245217 https://bugzilla.suse.com/1245431 SUSE Bug 1245431 https://bugzilla.suse.com/1245506 SUSE Bug 1245506 https://bugzilla.suse.com/1245711 SUSE Bug 1245711 https://bugzilla.suse.com/1245986 SUSE Bug 1245986 https://bugzilla.suse.com/1246000 SUSE Bug 1246000 https://bugzilla.suse.com/1246029 SUSE Bug 1246029 https://bugzilla.suse.com/1246037 SUSE Bug 1246037 https://bugzilla.suse.com/1246045 SUSE Bug 1246045 https://bugzilla.suse.com/1246073 SUSE Bug 1246073 https://bugzilla.suse.com/1246186 SUSE Bug 1246186 https://bugzilla.suse.com/1246287 SUSE Bug 1246287 https://bugzilla.suse.com/1246555 SUSE Bug 1246555 https://bugzilla.suse.com/1246781 SUSE Bug 1246781 https://bugzilla.suse.com/1247314 SUSE Bug 1247314 https://bugzilla.suse.com/1247347 SUSE Bug 1247347 https://bugzilla.suse.com/1247348 SUSE Bug 1247348 https://bugzilla.suse.com/1247349 SUSE Bug 1247349 https://bugzilla.suse.com/1247437 SUSE Bug 1247437 https://www.suse.com/security/cve/CVE-2022-49138/ SUSE CVE CVE-2022-49138 page https://www.suse.com/security/cve/CVE-2022-49770/ SUSE CVE CVE-2022-49770 page https://www.suse.com/security/cve/CVE-2023-52923/ SUSE CVE CVE-2023-52923 page https://www.suse.com/security/cve/CVE-2023-52927/ SUSE CVE CVE-2023-52927 page https://www.suse.com/security/cve/CVE-2024-26643/ SUSE CVE CVE-2024-26643 page https://www.suse.com/security/cve/CVE-2024-53057/ SUSE CVE CVE-2024-53057 page https://www.suse.com/security/cve/CVE-2024-53164/ SUSE CVE CVE-2024-53164 page https://www.suse.com/security/cve/CVE-2024-57947/ SUSE CVE CVE-2024-57947 page https://www.suse.com/security/cve/CVE-2025-21701/ SUSE CVE CVE-2025-21701 page https://www.suse.com/security/cve/CVE-2025-21971/ SUSE CVE CVE-2025-21971 page https://www.suse.com/security/cve/CVE-2025-37797/ SUSE CVE CVE-2025-37797 page https://www.suse.com/security/cve/CVE-2025-37798/ SUSE CVE CVE-2025-37798 page https://www.suse.com/security/cve/CVE-2025-38079/ SUSE CVE CVE-2025-38079 page https://www.suse.com/security/cve/CVE-2025-38088/ SUSE CVE CVE-2025-38088 page https://www.suse.com/security/cve/CVE-2025-38120/ SUSE CVE CVE-2025-38120 page https://www.suse.com/security/cve/CVE-2025-38177/ SUSE CVE CVE-2025-38177 page https://www.suse.com/security/cve/CVE-2025-38181/ SUSE CVE CVE-2025-38181 page https://www.suse.com/security/cve/CVE-2025-38200/ SUSE CVE CVE-2025-38200 page https://www.suse.com/security/cve/CVE-2025-38206/ SUSE CVE CVE-2025-38206 page https://www.suse.com/security/cve/CVE-2025-38212/ SUSE CVE CVE-2025-38212 page https://www.suse.com/security/cve/CVE-2025-38213/ SUSE CVE CVE-2025-38213 page https://www.suse.com/security/cve/CVE-2025-38257/ SUSE CVE CVE-2025-38257 page https://www.suse.com/security/cve/CVE-2025-38289/ SUSE CVE CVE-2025-38289 page https://www.suse.com/security/cve/CVE-2025-38350/ SUSE CVE CVE-2025-38350 page https://www.suse.com/security/cve/CVE-2025-38468/ SUSE CVE CVE-2025-38468 page https://www.suse.com/security/cve/CVE-2025-38477/ SUSE CVE CVE-2025-38477 page https://www.suse.com/security/cve/CVE-2025-38494/ SUSE CVE CVE-2025-38494 page https://www.suse.com/security/cve/CVE-2025-38495/ SUSE CVE CVE-2025-38495 page https://www.suse.com/security/cve/CVE-2025-38497/ SUSE CVE CVE-2025-38497 page Container suse/sle-micro/rt-5.5:latest SUSE Linux Enterprise Micro 5.5 kernel-rt-5.14.21-150500.13.103.2 cluster-md-kmp-rt-5.14.21-150500.13.103.2 dlm-kmp-rt-5.14.21-150500.13.103.2 gfs2-kmp-rt-5.14.21-150500.13.103.2 kernel-devel-rt-5.14.21-150500.13.103.2 kernel-rt-devel-5.14.21-150500.13.103.2 kernel-rt-extra-5.14.21-150500.13.103.2 kernel-rt-livepatch-5.14.21-150500.13.103.2 kernel-rt-livepatch-devel-5.14.21-150500.13.103.2 kernel-rt-optional-5.14.21-150500.13.103.2 kernel-rt-vdso-5.14.21-150500.13.103.2 kernel-rt_debug-5.14.21-150500.13.103.2 kernel-rt_debug-devel-5.14.21-150500.13.103.2 kernel-rt_debug-vdso-5.14.21-150500.13.103.2 kernel-source-rt-5.14.21-150500.13.103.2 kselftests-kmp-rt-5.14.21-150500.13.103.2 ocfs2-kmp-rt-5.14.21-150500.13.103.2 reiserfs-kmp-rt-5.14.21-150500.13.103.2 kernel-rt-5.14.21-150500.13.103.2 as a component of Container suse/sle-micro/rt-5.5:latest kernel-devel-rt-5.14.21-150500.13.103.2 as a component of SUSE Linux Enterprise Micro 5.5 kernel-rt-5.14.21-150500.13.103.2 as a component of SUSE Linux Enterprise Micro 5.5 kernel-source-rt-5.14.21-150500.13.103.2 as a component of SUSE Linux Enterprise Micro 5.5 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Ignore multiple conn complete events When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored. The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do not contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks are introduced. Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497 CVE-2022-49138 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2022-49138.html CVE-2022-49138 https://bugzilla.suse.com/1238160 SUSE Bug 1238160 In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues. CVE-2022-49770 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2022-49770.html CVE-2022-49770 https://bugzilla.suse.com/1242597 SUSE Bug 1242597 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: adapt set backend to use GC transaction API Use the GC transaction API to replace the old and buggy gc API and the busy mark approach. No set elements are removed from async garbage collection anymore, instead the _DEAD bit is set on so the set element is not visible from lookup path anymore. Async GC enqueues transaction work that might be aborted and retried later. rbtree and pipapo set backends does not set on the _DEAD bit from the sync GC path since this runs in control plane path where mutex is held. In this case, set elements are deactivated, removed and then released via RCU callback, sync GC never fails. CVE-2023-52923 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2023-52923.html CVE-2023-52923 https://bugzilla.suse.com/1236104 SUSE Bug 1236104 In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl. CVE-2023-52927 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2023-52927.html CVE-2023-52927 https://bugzilla.suse.com/1239644 SUSE Bug 1239644 https://bugzilla.suse.com/1246016 SUSE Bug 1246016 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too. CVE-2024-26643 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2024-26643.html CVE-2024-26643 https://bugzilla.suse.com/1221829 SUSE Bug 1221829 In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) CVE-2024-53057 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2024-53057.html CVE-2024-53057 https://bugzilla.suse.com/1233551 SUSE Bug 1233551 https://bugzilla.suse.com/1245816 SUSE Bug 1245816 In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. CVE-2024-53164 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2024-53164.html CVE-2024-53164 https://bugzilla.suse.com/1234863 SUSE Bug 1234863 https://bugzilla.suse.com/1246019 SUSE Bug 1246019 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo: fix initial map fill The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. CVE-2024-57947 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2024-57947.html CVE-2024-57947 https://bugzilla.suse.com/1236333 SUSE Bug 1236333 https://bugzilla.suse.com/1245799 SUSE Bug 1245799 In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found. CVE-2025-21701 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-21701.html CVE-2025-21701 https://bugzilla.suse.com/1237164 SUSE Bug 1237164 https://bugzilla.suse.com/1245805 SUSE Bug 1245805 In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. CVE-2025-21971 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-21971.html CVE-2025-21971 https://bugzilla.suse.com/1240799 SUSE Bug 1240799 https://bugzilla.suse.com/1245794 SUSE Bug 1245794 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied. CVE-2025-37797 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-37797.html CVE-2025-37797 https://bugzilla.suse.com/1242417 SUSE Bug 1242417 https://bugzilla.suse.com/1245793 SUSE Bug 1245793 In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). CVE-2025-37798 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-37798.html CVE-2025-37798 https://bugzilla.suse.com/1242414 SUSE Bug 1242414 https://bugzilla.suse.com/1242417 SUSE Bug 1242417 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. CVE-2025-38079 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38079.html CVE-2025-38079 https://bugzilla.suse.com/1245217 SUSE Bug 1245217 https://bugzilla.suse.com/1245218 SUSE Bug 1245218 In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size. CVE-2025-38088 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38088.html CVE-2025-38088 https://bugzilla.suse.com/1245506 SUSE Bug 1245506 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. CVE-2025-38120 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38120.html CVE-2025-38120 https://bugzilla.suse.com/1245711 SUSE Bug 1245711 In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. CVE-2025-38177 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38177.html CVE-2025-38177 https://bugzilla.suse.com/1245986 SUSE Bug 1245986 https://bugzilla.suse.com/1246356 SUSE Bug 1246356 In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3 options to fix the bug: 1) Return 0 in calipso_req_setattr() 2) Return an error in calipso_req_setattr() 3) Alaways set rsk_listener 1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie for CALIPSO. 3) is also no go as there have been many efforts to reduce atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood"). As of the blamed commit, SYN Cookie already did not need refcounting, and no one has stumbled on the bug for 9 years, so no CALIPSO user will care about SYN Cookie. Let's return an error in calipso_req_setattr() and calipso_req_delattr() in the SYN Cookie case. This can be reproduced by [1] on Fedora and now connect() of nc times out. [0]: TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806 Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b RSP: 0018:ffff88811af89038 EFLAGS: 00010216 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400 RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030 RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000 R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050 FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <IRQ> ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288 calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204 calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597 netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249 selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342 selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551 security_inet_conn_request+0x50/0xa0 security/security.c:4945 tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825 tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275 tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328 tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781 tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667 tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904 ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436 ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491 dst_input include/net/dst.h:469 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netf ---truncated--- CVE-2025-38181 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38181.html CVE-2025-38181 https://bugzilla.suse.com/1246000 SUSE Bug 1246000 https://bugzilla.suse.com/1246001 SUSE Bug 1246001 In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. CVE-2025-38200 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38200.html CVE-2025-38200 https://bugzilla.suse.com/1246045 SUSE Bug 1246045 https://bugzilla.suse.com/1246046 SUSE Bug 1246046 In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it. CVE-2025-38206 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38206.html CVE-2025-38206 https://bugzilla.suse.com/1246073 SUSE Bug 1246073 https://bugzilla.suse.com/1246075 SUSE Bug 1246075 In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). CVE-2025-38212 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38212.html CVE-2025-38212 https://bugzilla.suse.com/1246029 SUSE Bug 1246029 https://bugzilla.suse.com/1246030 SUSE Bug 1246030 This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-38213 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38213.html CVE-2025-38213 https://bugzilla.suse.com/1246037 SUSE Bug 1246037 https://bugzilla.suse.com/1246039 SUSE Bug 1246039 In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). CVE-2025-38257 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38257.html CVE-2025-38257 https://bugzilla.suse.com/1246186 SUSE Bug 1246186 https://bugzilla.suse.com/1246189 SUSE Bug 1246189 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed. CVE-2025-38289 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38289.html CVE-2025-38289 https://bugzilla.suse.com/1246287 SUSE Bug 1246287 https://bugzilla.suse.com/1246288 SUSE Bug 1246288 In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent. CVE-2025-38350 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38350.html CVE-2025-38350 https://bugzilla.suse.com/1246781 SUSE Bug 1246781 https://bugzilla.suse.com/1247043 SUSE Bug 1247043 In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc 2. netem_dequeue calls enqueue on the child qdisc 3. blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase 5. As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/ CVE-2025-38468 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38468.html CVE-2025-38468 https://bugzilla.suse.com/1247437 SUSE Bug 1247437 In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats. CVE-2025-38477 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38477.html CVE-2025-38477 https://bugzilla.suse.com/1247314 SUSE Bug 1247314 https://bugzilla.suse.com/1247315 SUSE Bug 1247315 In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. CVE-2025-38494 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38494.html CVE-2025-38494 https://bugzilla.suse.com/1247349 SUSE Bug 1247349 https://bugzilla.suse.com/1247350 SUSE Bug 1247350 In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. CVE-2025-38495 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38495.html CVE-2025-38495 https://bugzilla.suse.com/1247348 SUSE Bug 1247348 https://bugzilla.suse.com/1247351 SUSE Bug 1247351 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately. CVE-2025-38497 Container suse/sle-micro/rt-5.5:latest:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-devel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-rt-5.14.21-150500.13.103.2 SUSE Linux Enterprise Micro 5.5:kernel-source-rt-5.14.21-150500.13.103.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502852-1/ https://www.suse.com/security/cve/CVE-2025-38497.html CVE-2025-38497 https://bugzilla.suse.com/1247347 SUSE Bug 1247347