Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03383-1 Final 1 1 2025-09-26T17:27:32Z current 2025-09-26T17:27:32Z 2025-09-26T17:27:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50116: kernel: tty: n_gsm: fix deadlock and link starvation in outgoing data path (bsc#1244824). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-58239: tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1248614). - CVE-2025-38180: net: atm: fix /proc/net/atm/lec handling (bsc#1245970). - CVE-2025-38323: net: atm: add lec_mutex (bsc#1246473). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911). - CVE-2025-38460: atm: clip: Fix potential null-ptr-deref in to_atmarpd() (bsc#1247143). - CVE-2025-38498: do_change_type(): refuse to operate on unmounted/not ours mounts (bsc#1247374). - CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1247976). - CVE-2025-38546: atm: clip: Fix memory leak of struct clip_vcc (bsc#1248223). - CVE-2025-38555: usb: gadget : fix use-after-free in composite_dev_cleanup() (bsc#1248297). - CVE-2025-38560: x86/sev: Evict cache lines during SNP memory validation (bsc#1248312). - CVE-2025-38563: perf/core: Prevent VMA split of buffer mappings (bsc#1248306). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1248621). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511). - CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248748). The following non-security bugs were fixed: - NFSv4.1: fix backchannel max_resp_sz verification check (bsc#1247518). - Disable N_GSM (bsc#1244824 jsc#PED-8240). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3383,SUSE-SLE-Micro-5.3-2025-3383,SUSE-SLE-Micro-5.4-2025-3383 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ Link for SUSE-SU-2025:03383-1 https://lists.suse.com/pipermail/sle-security-updates/2025-September/022724.html E-Mail link for SUSE-SU-2025:03383-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234896 SUSE Bug 1234896 https://bugzilla.suse.com/1244824 SUSE Bug 1244824 https://bugzilla.suse.com/1245970 SUSE Bug 1245970 https://bugzilla.suse.com/1246473 SUSE Bug 1246473 https://bugzilla.suse.com/1246911 SUSE Bug 1246911 https://bugzilla.suse.com/1247143 SUSE Bug 1247143 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1247518 SUSE Bug 1247518 https://bugzilla.suse.com/1247976 SUSE Bug 1247976 https://bugzilla.suse.com/1248223 SUSE Bug 1248223 https://bugzilla.suse.com/1248297 SUSE Bug 1248297 https://bugzilla.suse.com/1248306 SUSE Bug 1248306 https://bugzilla.suse.com/1248312 SUSE Bug 1248312 https://bugzilla.suse.com/1248338 SUSE Bug 1248338 https://bugzilla.suse.com/1248511 SUSE Bug 1248511 https://bugzilla.suse.com/1248614 SUSE Bug 1248614 https://bugzilla.suse.com/1248621 SUSE Bug 1248621 https://bugzilla.suse.com/1248748 SUSE Bug 1248748 https://www.suse.com/security/cve/CVE-2022-50116/ SUSE CVE CVE-2022-50116 page https://www.suse.com/security/cve/CVE-2024-53177/ SUSE CVE CVE-2024-53177 page https://www.suse.com/security/cve/CVE-2024-58239/ SUSE CVE CVE-2024-58239 page https://www.suse.com/security/cve/CVE-2025-38180/ SUSE CVE CVE-2025-38180 page https://www.suse.com/security/cve/CVE-2025-38323/ SUSE CVE CVE-2025-38323 page https://www.suse.com/security/cve/CVE-2025-38352/ SUSE CVE CVE-2025-38352 page https://www.suse.com/security/cve/CVE-2025-38460/ SUSE CVE CVE-2025-38460 page https://www.suse.com/security/cve/CVE-2025-38498/ SUSE CVE CVE-2025-38498 page https://www.suse.com/security/cve/CVE-2025-38499/ SUSE CVE CVE-2025-38499 page https://www.suse.com/security/cve/CVE-2025-38546/ SUSE CVE CVE-2025-38546 page https://www.suse.com/security/cve/CVE-2025-38555/ SUSE CVE CVE-2025-38555 page https://www.suse.com/security/cve/CVE-2025-38560/ SUSE CVE CVE-2025-38560 page https://www.suse.com/security/cve/CVE-2025-38563/ SUSE CVE CVE-2025-38563 page https://www.suse.com/security/cve/CVE-2025-38608/ SUSE CVE CVE-2025-38608 page https://www.suse.com/security/cve/CVE-2025-38617/ SUSE CVE CVE-2025-38617 page https://www.suse.com/security/cve/CVE-2025-38618/ SUSE CVE CVE-2025-38618 page https://www.suse.com/security/cve/CVE-2025-38644/ SUSE CVE CVE-2025-38644 page SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 cluster-md-kmp-rt-5.14.21-150400.15.130.1 dlm-kmp-rt-5.14.21-150400.15.130.1 gfs2-kmp-rt-5.14.21-150400.15.130.1 kernel-devel-rt-5.14.21-150400.15.130.1 kernel-rt-5.14.21-150400.15.130.1 kernel-rt-devel-5.14.21-150400.15.130.1 kernel-rt-extra-5.14.21-150400.15.130.1 kernel-rt-livepatch-5.14.21-150400.15.130.1 kernel-rt-livepatch-devel-5.14.21-150400.15.130.1 kernel-rt-optional-5.14.21-150400.15.130.1 kernel-rt_debug-5.14.21-150400.15.130.1 kernel-rt_debug-devel-5.14.21-150400.15.130.1 kernel-source-rt-5.14.21-150400.15.130.1 kselftests-kmp-rt-5.14.21-150400.15.130.1 ocfs2-kmp-rt-5.14.21-150400.15.130.1 reiserfs-kmp-rt-5.14.21-150400.15.130.1 kernel-rt-5.14.21-150400.15.130.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-source-rt-5.14.21-150400.15.130.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-rt-5.14.21-150400.15.130.1 as a component of SUSE Linux Enterprise Micro 5.4 kernel-source-rt-5.14.21-150400.15.130.1 as a component of SUSE Linux Enterprise Micro 5.4 In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix deadlock and link starvation in outgoing data path The current implementation queues up new control and user packets as needed and processes this queue down to the ldisc in the same code path. That means that the upper and the lower layer are hard coupled in the code. Due to this deadlocks can happen as seen below while transmitting data, especially during ldisc congestion. Furthermore, the data channels starve the control channel on high transmission load on the ldisc. Introduce an additional control channel data queue to prevent timeouts and link hangups during ldisc congestion. This is being processed before the user channel data queue in gsm_data_kick(), i.e. with the highest priority. Put the queue to ldisc data path into a workqueue and trigger it whenever new data has been put into the transmission queue. Change gsm_dlci_data_sweep() accordingly to fill up the transmission queue until TX_THRESH_HI. This solves the locking issue, keeps latency low and provides good performance on high data load. Note that now all packets from a DLCI are removed from the internal queue if the associated DLCI was closed. This ensures that no data is sent by the introduced write task to an already closed DLCI. BUG: spinlock recursion on CPU#0, test_v24_loop/124 lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0 CPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x34/0x44 do_raw_spin_lock+0x76/0xa0 _raw_spin_lock_irqsave+0x72/0x80 uart_write_room+0x3b/0xc0 gsm_data_kick+0x14b/0x240 [n_gsm] gsmld_write_wakeup+0x35/0x70 [n_gsm] tty_wakeup+0x53/0x60 tty_port_default_wakeup+0x1b/0x30 serial8250_tx_chars+0x12f/0x220 serial8250_handle_irq.part.0+0xfe/0x150 serial8250_default_handle_irq+0x48/0x80 serial8250_interrupt+0x56/0xa0 __handle_irq_event_percpu+0x78/0x1f0 handle_irq_event+0x34/0x70 handle_fasteoi_irq+0x90/0x1e0 __common_interrupt+0x69/0x100 common_interrupt+0x48/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:__do_softirq+0x83/0x34e Code: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d e2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61 80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00 RSP: 0018:ffffc90000003f98 EFLAGS: 00000286 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7 RBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000 ? __do_softirq+0x73/0x34e irq_exit_rcu+0xb5/0x100 common_interrupt+0xa4/0xc0 </IRQ> <TASK> asm_common_interrupt+0x1e/0x40 RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50 Code: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff 48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 <e8> 3d 97 33 ff 65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44 RSP: 0018:ffffc9000020fd08 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001 RBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8 ? _raw_spin_unlock_irqrestore+0x23/0x50 gsmtty_write+0x65/0x80 [n_gsm] n_tty_write+0x33f/0x530 ? swake_up_all+0xe0/0xe0 file_tty_write.constprop.0+0x1b1/0x320 ? n_tty_flush_buffer+0xb0/0xb0 new_sync_write+0x10c/0x190 vfs_write+0x282/0x310 ksys_write+0x68/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f3e5e35c15c Code: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24 ---truncated--- CVE-2022-50116 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2022-50116.html CVE-2022-50116 https://bugzilla.suse.com/1244824 SUSE Bug 1244824 In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000) CVE-2024-53177 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2024-53177.html CVE-2024-53177 https://bugzilla.suse.com/1234896 SUSE Bug 1234896 https://bugzilla.suse.com/1235103 SUSE Bug 1235103 In the Linux kernel, the following vulnerability has been resolved: tls: stop recv() if initial process_rx_list gave us non-DATA If we have a non-DATA record on the rx_list and another record of the same type still on the queue, we will end up merging them: - process_rx_list copies the non-DATA record - we start the loop and process the first available record since it's of the same type - we break out of the loop since the record was not DATA Just check the record type and jump to the end in case process_rx_list did some work. CVE-2024-58239 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2024-58239.html CVE-2024-58239 https://bugzilla.suse.com/1248614 SUSE Bug 1248614 https://bugzilla.suse.com/1248615 SUSE Bug 1248615 In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. CVE-2025-38180 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38180.html CVE-2025-38180 https://bugzilla.suse.com/1245970 SUSE Bug 1245970 https://bugzilla.suse.com/1245971 SUSE Bug 1245971 In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach(). Following patch will use this mutex for /proc/net/atm/lec. BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142 CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 lecd_attach net/atm/lec.c:751 [inline] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 lecd_attach net/atm/lec.c:737 [inline] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 free_netdev+0x6c5/0x910 net/core/dev.c:11892 lecd_attach net/atm/lec.c:744 [inline] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 CVE-2025-38323 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38323.html CVE-2025-38323 https://bugzilla.suse.com/1246473 SUSE Bug 1246473 https://bugzilla.suse.com/1246525 SUSE Bug 1246525 In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. CVE-2025-38352 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38352.html CVE-2025-38352 https://bugzilla.suse.com/1246911 SUSE Bug 1246911 https://bugzilla.suse.com/1249205 SUSE Bug 1249205 In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). CVE-2025-38460 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38460.html CVE-2025-38460 https://bugzilla.suse.com/1247143 SUSE Bug 1247143 In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). CVE-2025-38498 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38498.html CVE-2025-38498 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1247499 SUSE Bug 1247499 In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above. CVE-2025-38499 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38499.html CVE-2025-38499 https://bugzilla.suse.com/1247976 SUSE Bug 1247976 https://bugzilla.suse.com/1248673 SUSE Bug 1248673 In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak. Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atmarp() to prevent memleak. CVE-2025-38546 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38546.html CVE-2025-38546 https://bugzilla.suse.com/1248223 SUSE Bug 1248223 In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will lead to a use-after-free issue. BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 Read of size 8 at addr 0000004827837a00 by task init/1 CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 kasan_report+0x188/0x1cc __asan_load8+0xb4/0xbc composite_dev_cleanup+0xf4/0x2c0 configfs_composite_bind+0x210/0x7ac udc_bind_to_driver+0xb4/0x1ec usb_gadget_probe_driver+0xec/0x21c gadget_dev_desc_UDC_store+0x264/0x27c CVE-2025-38555 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38555.html CVE-2025-38555 https://bugzilla.suse.com/1248297 SUSE Bug 1248297 https://bugzilla.suse.com/1248298 SUSE Bug 1248298 In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being validated. There is no need to perform the mitigation when performing a page state change to shared and rescinding validation. CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that, when set, indicates that the software mitigation for this vulnerability is not needed. Implement the mitigation and invoke it when validating memory (making it private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest is vulnerable. CVE-2025-38560 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38560.html CVE-2025-38560 https://bugzilla.suse.com/1248312 SUSE Bug 1248312 https://bugzilla.suse.com/1248313 SUSE Bug 1248313 In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent that a related mapping is split via mmap(2), munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, which take reference counts, but then the subsequent perf_mmap_close() calls are not longer fulfilling the offset and size checks. This leads to reference count leaks. As perf already has the requirement for subsequent mappings to match the initial mapping, the obvious consequence is that VMA splits, caused by resizing of a mapping or partial unmapping, have to be prevented. Implement the vm_operations_struct::may_split() callback and return unconditionally -EINVAL. That ensures that the mapping offsets and sizes cannot be changed after the fact. Remapping to a different fixed address with the same size is still possible as it takes the references for the new mapping and drops those of the old mapping. CVE-2025-38563 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38563.html CVE-2025-38563 https://bugzilla.suse.com/1248306 SUSE Bug 1248306 https://bugzilla.suse.com/1248307 SUSE Bug 1248307 In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete "Application Data" packet, leading to errors on the receiving end when parsing TLS record. CVE-2025-38608 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38608.html CVE-2025-38608 https://bugzilla.suse.com/1248338 SUSE Bug 1248338 https://bugzilla.suse.com/1248670 SUSE Bug 1248670 In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history. CVE-2025-38617 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38617.html CVE-2025-38617 https://bugzilla.suse.com/1248621 SUSE Bug 1248621 https://bugzilla.suse.com/1249208 SUSE Bug 1249208 In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY. CVE-2025-38618 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38618.html CVE-2025-38618 https://bugzilla.suse.com/1248511 SUSE Bug 1248511 https://bugzilla.suse.com/1249207 SUSE Bug 1249207 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state like sdata->u.mgd.tdls_peer uninitialized, leading to a WARN_ON() in code paths that assumed it was valid. Reject the operation early if not in station mode or not associated. CVE-2025-38644 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.130.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.130.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503383-1/ https://www.suse.com/security/cve/CVE-2025-38644.html CVE-2025-38644 https://bugzilla.suse.com/1248748 SUSE Bug 1248748 https://bugzilla.suse.com/1248749 SUSE Bug 1248749