Security update for the Linux Kernel (Live Patch 23 for SUSE Linux Enterprise 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4255-1 Final 1 1 2025-11-26T09:35:19Z current 2025-11-26T09:35:19Z 2025-11-26T09:35:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 23 for SUSE Linux Enterprise 15 SP5) This update for the SUSE Linux Enterprise kernel 5.14.21-150500.55.94 fixes various security issues The following security issues were fixed: - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1245778). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242882). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4248,SUSE-2025-4249,SUSE-2025-4255,SUSE-SLE-Module-Live-Patching-15-SP5-2025-4248 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254255-1/ Link for SUSE-SU-2025:4255-1 https://lists.suse.com/pipermail/sle-security-updates/2025-November/023366.html E-Mail link for SUSE-SU-2025:4255-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1242882 SUSE Bug 1242882 https://bugzilla.suse.com/1245778 SUSE Bug 1245778 https://www.suse.com/security/cve/CVE-2024-53141/ SUSE CVE CVE-2024-53141 page https://www.suse.com/security/cve/CVE-2025-23145/ SUSE CVE CVE-2025-23145 page SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150500_55_94-default-11-150500.2.1 kernel-livepatch-5_14_21-150500_55_97-default-11-150500.2.1 kernel-livepatch-5_14_21-150500_55_91-default-15-150500.2.1 kernel-livepatch-5_14_21-150500_55_94-default-11-150500.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP5 In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. CVE-2024-53141 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_94-default-11-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254255-1/ https://www.suse.com/security/cve/CVE-2024-53141.html CVE-2024-53141 https://bugzilla.suse.com/1234381 SUSE Bug 1234381 https://bugzilla.suse.com/1245778 SUSE Bug 1245778 In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to. CVE-2025-23145 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_94-default-11-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254255-1/ https://www.suse.com/security/cve/CVE-2025-23145.html CVE-2025-23145 https://bugzilla.suse.com/1242596 SUSE Bug 1242596 https://bugzilla.suse.com/1242882 SUSE Bug 1242882