Security update for the Linux Kernel (Live Patch 63 for SUSE Linux Enterprise 12 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0154-1 Final 1 1 2026-01-19T12:08:42Z current 2026-01-19T12:08:42Z 2026-01-19T12:08:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 63 for SUSE Linux Enterprise 12 SP5) This update for the SUSE Linux Enterprise kernel 4.12.14-122.237 fixes various security issues The following security issues were fixed: - CVE-2022-50233: bluetooth: device name can cause reading kernel memory by not supplying terminal \0 (bsc#1249242). - CVE-2022-50327: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (bsc#1254451). - CVE-2022-50367: fs: fix UAF/GPF bug in nilfs_mdt_destroy (bsc#1250280). - CVE-2022-50409: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory (bsc#1250665). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251787). - CVE-2023-53717: wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() (bsc#1252563). - CVE-2024-57849: s390/cpum_sf: handle CPU hotplug remove during sampling (bsc#1235815). - CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-154,SUSE-SLE-Live-Patching-12-SP5-2026-154 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ Link for SUSE-SU-2026:0154-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023797.html E-Mail link for SUSE-SU-2026:0154-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1235815 SUSE Bug 1235815 https://bugzilla.suse.com/1248400 SUSE Bug 1248400 https://bugzilla.suse.com/1249242 SUSE Bug 1249242 https://bugzilla.suse.com/1250280 SUSE Bug 1250280 https://bugzilla.suse.com/1250665 SUSE Bug 1250665 https://bugzilla.suse.com/1251787 SUSE Bug 1251787 https://bugzilla.suse.com/1252563 SUSE Bug 1252563 https://bugzilla.suse.com/1253437 SUSE Bug 1253437 https://bugzilla.suse.com/1254451 SUSE Bug 1254451 https://www.suse.com/security/cve/CVE-2022-50233/ SUSE CVE CVE-2022-50233 page https://www.suse.com/security/cve/CVE-2022-50327/ SUSE CVE CVE-2022-50327 page https://www.suse.com/security/cve/CVE-2022-50367/ SUSE CVE CVE-2022-50367 page https://www.suse.com/security/cve/CVE-2022-50409/ SUSE CVE CVE-2022-50409 page https://www.suse.com/security/cve/CVE-2023-53676/ SUSE CVE CVE-2023-53676 page https://www.suse.com/security/cve/CVE-2023-53717/ SUSE CVE CVE-2023-53717 page https://www.suse.com/security/cve/CVE-2024-57849/ SUSE CVE CVE-2024-57849 page https://www.suse.com/security/cve/CVE-2025-38572/ SUSE CVE CVE-2025-38572 page https://www.suse.com/security/cve/CVE-2025-40204/ SUSE CVE CVE-2025-40204 page SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_237-default-16-2.1 kgraft-patch-4_12_14-122_237-default-16-2.1 as a component of SUSE Linux Enterprise Live Patching 12 SP5 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not. CVE-2022-50233 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2022-50233.html CVE-2022-50233 https://bugzilla.suse.com/1246968 SUSE Bug 1246968 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1249242 SUSE Bug 1249242 In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ] CVE-2022-50327 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2022-50327.html CVE-2022-50327 https://bugzilla.suse.com/1249859 SUSE Bug 1249859 https://bugzilla.suse.com/1254451 SUSE Bug 1254451 In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) CVE-2022-50367 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2022-50367.html CVE-2022-50367 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1250277 SUSE Bug 1250277 In the Linux kernel, the following vulnerability has been resolved: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Fixes the below NULL pointer dereference: [...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] ___sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] The test scenario has the following flow: thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue. CVE-2022-50409 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2022-50409.html CVE-2022-50409 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1250392 SUSE Bug 1250392 https://bugzilla.suse.com/1250665 SUSE Bug 1250665 In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to overflow the buffer provided by configfs and corrupt the memory. This patch replaces sprintf() with sysfs_emit_at() that checks for buffer boundries. CVE-2023-53676 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2023-53676.html CVE-2023-53676 https://bugzilla.suse.com/1251786 SUSE Bug 1251786 https://bugzilla.suse.com/1251787 SUSE Bug 1251787 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() Fix a stack-out-of-bounds write that occurs in a WMI response callback function that is called after a timeout occurs in ath9k_wmi_cmd(). The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that could no longer be valid when a timeout occurs. Set wmi->last_seq_id to 0 when a timeout occurred. Found by a modified version of syzkaller. BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx Write of size 4 Call Trace: memcpy ath9k_wmi_ctrl_rx ath9k_htc_rx_msg ath9k_hif_usb_reg_in_cb __usb_hcd_giveback_urb usb_hcd_giveback_urb dummy_timer call_timer_fn run_timer_softirq __do_softirq irq_exit_rcu sysvec_apic_timer_interrupt CVE-2023-53717 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2023-53717.html CVE-2023-53717 https://bugzilla.suse.com/1252560 SUSE Bug 1252560 https://bugzilla.suse.com/1252563 SUSE Bug 1252563 In the Linux kernel, the following vulnerability has been resolved: s390/cpum_sf: Handle CPU hotplug remove during sampling CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. CVE-2024-57849 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2024-57849.html CVE-2024-57849 https://bugzilla.suse.com/1235814 SUSE Bug 1235814 https://bugzilla.suse.com/1235815 SUSE Bug 1235815 In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 CVE-2025-38572 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2025-38572.html CVE-2025-38572 https://bugzilla.suse.com/1248399 SUSE Bug 1248399 https://bugzilla.suse.com/1248400 SUSE Bug 1248400 In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. CVE-2025-40204 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_237-default-16-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260154-1/ https://www.suse.com/security/cve/CVE-2025-40204.html CVE-2025-40204 https://bugzilla.suse.com/1253436 SUSE Bug 1253436 https://bugzilla.suse.com/1253437 SUSE Bug 1253437