Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1574-1 Final 1 1 2025-05-16T18:36:34Z current 2025-05-16T18:36:34Z 2025-05-16T18:36:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2025-21726: padata: avoid UAF for reorder_work (bsc#1238865). - CVE-2025-21785: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (bsc#1238747). - CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out() (bsc#1238512). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22020: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (bsc#1241280). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1574,SUSE-SUSE-MicroOS-5.1-2025-1574,SUSE-SUSE-MicroOS-5.2-2025-1574 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ Link for SUSE-SU-2025:1574-1 https://lists.suse.com/pipermail/sle-security-updates/2025-May/020835.html E-Mail link for SUSE-SU-2025:1574-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207034 SUSE Bug 1207034 https://bugzilla.suse.com/1207878 SUSE Bug 1207878 https://bugzilla.suse.com/1221980 SUSE Bug 1221980 https://bugzilla.suse.com/1234931 SUSE Bug 1234931 https://bugzilla.suse.com/1235433 SUSE Bug 1235433 https://bugzilla.suse.com/1237984 SUSE Bug 1237984 https://bugzilla.suse.com/1238512 SUSE Bug 1238512 https://bugzilla.suse.com/1238747 SUSE Bug 1238747 https://bugzilla.suse.com/1238865 SUSE Bug 1238865 https://bugzilla.suse.com/1240210 SUSE Bug 1240210 https://bugzilla.suse.com/1240308 SUSE Bug 1240308 https://bugzilla.suse.com/1240835 SUSE Bug 1240835 https://bugzilla.suse.com/1241280 SUSE Bug 1241280 https://bugzilla.suse.com/1241371 SUSE Bug 1241371 https://bugzilla.suse.com/1241404 SUSE Bug 1241404 https://bugzilla.suse.com/1241405 SUSE Bug 1241405 https://bugzilla.suse.com/1241407 SUSE Bug 1241407 https://bugzilla.suse.com/1241408 SUSE Bug 1241408 https://www.suse.com/security/cve/CVE-2020-36789/ SUSE CVE CVE-2020-36789 page https://www.suse.com/security/cve/CVE-2021-47163/ SUSE CVE CVE-2021-47163 page https://www.suse.com/security/cve/CVE-2021-47668/ SUSE CVE CVE-2021-47668 page https://www.suse.com/security/cve/CVE-2021-47669/ SUSE CVE CVE-2021-47669 page https://www.suse.com/security/cve/CVE-2021-47670/ SUSE CVE CVE-2021-47670 page https://www.suse.com/security/cve/CVE-2022-49111/ SUSE CVE CVE-2022-49111 page https://www.suse.com/security/cve/CVE-2023-0179/ SUSE CVE CVE-2023-0179 page https://www.suse.com/security/cve/CVE-2023-53026/ SUSE CVE CVE-2023-53026 page https://www.suse.com/security/cve/CVE-2023-53033/ SUSE CVE CVE-2023-53033 page https://www.suse.com/security/cve/CVE-2024-56642/ SUSE CVE CVE-2024-56642 page https://www.suse.com/security/cve/CVE-2024-56661/ SUSE CVE CVE-2024-56661 page https://www.suse.com/security/cve/CVE-2025-21726/ SUSE CVE CVE-2025-21726 page https://www.suse.com/security/cve/CVE-2025-21785/ SUSE CVE CVE-2025-21785 page https://www.suse.com/security/cve/CVE-2025-21791/ SUSE CVE CVE-2025-21791 page https://www.suse.com/security/cve/CVE-2025-22004/ SUSE CVE CVE-2025-22004 page https://www.suse.com/security/cve/CVE-2025-22020/ SUSE CVE CVE-2025-22020 page https://www.suse.com/security/cve/CVE-2025-22055/ SUSE CVE CVE-2025-22055 page SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 cluster-md-kmp-rt-5.3.18-150300.208.1 cluster-md-kmp-rt_debug-5.3.18-150300.208.1 dlm-kmp-rt-5.3.18-150300.208.1 dlm-kmp-rt_debug-5.3.18-150300.208.1 gfs2-kmp-rt-5.3.18-150300.208.1 gfs2-kmp-rt_debug-5.3.18-150300.208.1 kernel-devel-rt-5.3.18-150300.208.1 kernel-rt-5.3.18-150300.208.1 kernel-rt-devel-5.3.18-150300.208.1 kernel-rt-extra-5.3.18-150300.208.1 kernel-rt-livepatch-devel-5.3.18-150300.208.1 kernel-rt-optional-5.3.18-150300.208.1 kernel-rt_debug-5.3.18-150300.208.1 kernel-rt_debug-devel-5.3.18-150300.208.1 kernel-rt_debug-extra-5.3.18-150300.208.1 kernel-rt_debug-livepatch-devel-5.3.18-150300.208.1 kernel-rt_debug-optional-5.3.18-150300.208.1 kernel-source-rt-5.3.18-150300.208.1 kernel-syms-rt-5.3.18-150300.208.1 kselftests-kmp-rt-5.3.18-150300.208.1 kselftests-kmp-rt_debug-5.3.18-150300.208.1 ocfs2-kmp-rt-5.3.18-150300.208.1 ocfs2-kmp-rt_debug-5.3.18-150300.208.1 reiserfs-kmp-rt-5.3.18-150300.208.1 reiserfs-kmp-rt_debug-5.3.18-150300.208.1 kernel-rt-5.3.18-150300.208.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-source-rt-5.3.18-150300.208.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-rt-5.3.18-150300.208.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-source-rt-5.3.18-150300.208.1 as a component of SUSE Linux Enterprise Micro 5.2 In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com CVE-2020-36789 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2020-36789.html CVE-2020-36789 https://bugzilla.suse.com/1241408 SUSE Bug 1241408 In the Linux kernel, the following vulnerability has been resolved: tipc: wait and exit until all work queues are done On some host, a crash could be triggered simply by repeating these commands several times: # modprobe tipc # tipc bearer enable media udp name UDP1 localip 127.0.0.1 # rmmod tipc [] BUG: unable to handle kernel paging request at ffffffffc096bb00 [] Workqueue: events 0xffffffffc096bb00 [] Call Trace: [] ? process_one_work+0x1a7/0x360 [] ? worker_thread+0x30/0x390 [] ? create_worker+0x1a0/0x1a0 [] ? kthread+0x116/0x130 [] ? kthread_flush_work_fn+0x10/0x10 [] ? ret_from_fork+0x35/0x40 When removing the TIPC module, the UDP tunnel sock will be delayed to release in a work queue as sock_release() can't be done in rtnl_lock(). If the work queue is schedule to run after the TIPC module is removed, kernel will crash as the work queue function cleanup_beareri() code no longer exists when trying to invoke it. To fix it, this patch introduce a member wq_count in tipc_net to track the numbers of work queues in schedule, and wait and exit until all work queues are done in tipc_exit_net(). CVE-2021-47163 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2021-47163.html CVE-2021-47163 https://bugzilla.suse.com/1221980 SUSE Bug 1221980 In the Linux kernel, the following vulnerability has been resolved: can: dev: can_restart: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats->rx_bytes += cf->len; Reordering the lines solves the issue. CVE-2021-47668 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2021-47668.html CVE-2021-47668 https://bugzilla.suse.com/1241404 SUSE Bug 1241404 In the Linux kernel, the following vulnerability has been resolved: can: vxcan: vxcan_xmit: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the canfd_frame cfd which aliases skb memory is accessed after the netif_rx_ni(). CVE-2021-47669 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2021-47669.html CVE-2021-47669 https://bugzilla.suse.com/1241405 SUSE Bug 1241405 In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix use after free bugs After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue. CVE-2021-47670 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2021-47670.html CVE-2021-47670 https://bugzilla.suse.com/1241407 SUSE Bug 1241407 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2022-49111 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2022-49111.html CVE-2022-49111 https://bugzilla.suse.com/1237984 SUSE Bug 1237984 A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. CVE-2023-0179 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2023-0179.html CVE-2023-0179 https://bugzilla.suse.com/1207034 SUSE Bug 1207034 https://bugzilla.suse.com/1207139 SUSE Bug 1207139 https://bugzilla.suse.com/1215208 SUSE Bug 1215208 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2023-53026 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2023-53026.html CVE-2023-53026 https://bugzilla.suse.com/1240308 SUSE Bug 1240308 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2023-53033 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2023-53033.html CVE-2023-53033 https://bugzilla.suse.com/1240210 SUSE Bug 1240210 In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer CVE-2024-56642 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2024-56642.html CVE-2024-56642 https://bugzilla.suse.com/1235433 SUSE Bug 1235433 https://bugzilla.suse.com/1235434 SUSE Bug 1235434 In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL deref in cleanup_bearer() syzbot found [1] that after blamed commit, ub->ubsock->sk was NULL when attempting the atomic_dec() : atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); Fix this by caching the tipc_net pointer. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events cleanup_bearer RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820 Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206 RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900 RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20 R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980 R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 CVE-2024-56661 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2024-56661.html CVE-2024-56661 https://bugzilla.suse.com/1234931 SUSE Bug 1234931 In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. CVE-2025-21726 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-21726.html CVE-2025-21726 https://bugzilla.suse.com/1238865 SUSE Bug 1238865 https://bugzilla.suse.com/1240837 SUSE Bug 1240837 In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-21785.html CVE-2025-21785 https://bugzilla.suse.com/1238747 SUSE Bug 1238747 https://bugzilla.suse.com/1240745 SUSE Bug 1240745 In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-21791.html CVE-2025-21791 https://bugzilla.suse.com/1238512 SUSE Bug 1238512 https://bugzilla.suse.com/1240744 SUSE Bug 1240744 In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. CVE-2025-22004 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-22004.html CVE-2025-22004 https://bugzilla.suse.com/1240835 SUSE Bug 1240835 https://bugzilla.suse.com/1241090 SUSE Bug 1241090 In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated--- CVE-2025-22020 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-22020.html CVE-2025-22020 https://bugzilla.suse.com/1241280 SUSE Bug 1241280 In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies. CVE-2025-22055 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.208.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.208.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251574-1/ https://www.suse.com/security/cve/CVE-2025-22055.html CVE-2025-22055 https://bugzilla.suse.com/1241371 SUSE Bug 1241371 https://bugzilla.suse.com/1241372 SUSE Bug 1241372