Security update for the Linux Kernel (Live Patch 72 for SUSE Linux Enterprise 12 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0155-1 Final 1 1 2026-01-19T12:11:10Z current 2026-01-19T12:11:10Z 2026-01-19T12:11:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 72 for SUSE Linux Enterprise 12 SP5) This update for the SUSE Linux Enterprise kernel 4.12.14-122.272 fixes various security issues The following security issues were fixed: - CVE-2022-50233: bluetooth: device name can cause reading kernel memory by not supplying terminal \0 (bsc#1249242). - CVE-2022-50327: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (bsc#1254451). - CVE-2022-50367: fs: fix UAF/GPF bug in nilfs_mdt_destroy (bsc#1250280). - CVE-2022-50409: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory (bsc#1250665). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251787). - CVE-2023-53717: wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() (bsc#1252563). - CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-155,SUSE-SLE-Live-Patching-12-SP5-2026-161 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ Link for SUSE-SU-2026:0155-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023796.html E-Mail link for SUSE-SU-2026:0155-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248400 SUSE Bug 1248400 https://bugzilla.suse.com/1249242 SUSE Bug 1249242 https://bugzilla.suse.com/1250280 SUSE Bug 1250280 https://bugzilla.suse.com/1250665 SUSE Bug 1250665 https://bugzilla.suse.com/1251787 SUSE Bug 1251787 https://bugzilla.suse.com/1252563 SUSE Bug 1252563 https://bugzilla.suse.com/1253437 SUSE Bug 1253437 https://bugzilla.suse.com/1254451 SUSE Bug 1254451 https://www.suse.com/security/cve/CVE-2022-50233/ SUSE CVE CVE-2022-50233 page https://www.suse.com/security/cve/CVE-2022-50327/ SUSE CVE CVE-2022-50327 page https://www.suse.com/security/cve/CVE-2022-50367/ SUSE CVE CVE-2022-50367 page https://www.suse.com/security/cve/CVE-2022-50409/ SUSE CVE CVE-2022-50409 page https://www.suse.com/security/cve/CVE-2023-53676/ SUSE CVE CVE-2023-53676 page https://www.suse.com/security/cve/CVE-2023-53717/ SUSE CVE CVE-2023-53717 page https://www.suse.com/security/cve/CVE-2025-38572/ SUSE CVE CVE-2025-38572 page https://www.suse.com/security/cve/CVE-2025-40204/ SUSE CVE CVE-2025-40204 page SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_244-default-14-2.1 kgraft-patch-4_12_14-122_272-default-4-2.1 kgraft-patch-4_12_14-122_272-default-4-2.1 as a component of SUSE Linux Enterprise Live Patching 12 SP5 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not. CVE-2022-50233 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2022-50233.html CVE-2022-50233 https://bugzilla.suse.com/1246968 SUSE Bug 1246968 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1249242 SUSE Bug 1249242 In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ] CVE-2022-50327 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2022-50327.html CVE-2022-50327 https://bugzilla.suse.com/1249859 SUSE Bug 1249859 https://bugzilla.suse.com/1254451 SUSE Bug 1254451 In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) CVE-2022-50367 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2022-50367.html CVE-2022-50367 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1250277 SUSE Bug 1250277 In the Linux kernel, the following vulnerability has been resolved: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Fixes the below NULL pointer dereference: [...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] ___sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] The test scenario has the following flow: thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue. CVE-2022-50409 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2022-50409.html CVE-2022-50409 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1250392 SUSE Bug 1250392 https://bugzilla.suse.com/1250665 SUSE Bug 1250665 In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to overflow the buffer provided by configfs and corrupt the memory. This patch replaces sprintf() with sysfs_emit_at() that checks for buffer boundries. CVE-2023-53676 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2023-53676.html CVE-2023-53676 https://bugzilla.suse.com/1251786 SUSE Bug 1251786 https://bugzilla.suse.com/1251787 SUSE Bug 1251787 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() Fix a stack-out-of-bounds write that occurs in a WMI response callback function that is called after a timeout occurs in ath9k_wmi_cmd(). The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that could no longer be valid when a timeout occurs. Set wmi->last_seq_id to 0 when a timeout occurred. Found by a modified version of syzkaller. BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx Write of size 4 Call Trace: memcpy ath9k_wmi_ctrl_rx ath9k_htc_rx_msg ath9k_hif_usb_reg_in_cb __usb_hcd_giveback_urb usb_hcd_giveback_urb dummy_timer call_timer_fn run_timer_softirq __do_softirq irq_exit_rcu sysvec_apic_timer_interrupt CVE-2023-53717 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2023-53717.html CVE-2023-53717 https://bugzilla.suse.com/1252560 SUSE Bug 1252560 https://bugzilla.suse.com/1252563 SUSE Bug 1252563 In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 CVE-2025-38572 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2025-38572.html CVE-2025-38572 https://bugzilla.suse.com/1248399 SUSE Bug 1248399 https://bugzilla.suse.com/1248400 SUSE Bug 1248400 In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. CVE-2025-40204 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_272-default-4-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260155-1/ https://www.suse.com/security/cve/CVE-2025-40204.html CVE-2025-40204 https://bugzilla.suse.com/1253436 SUSE Bug 1253436 https://bugzilla.suse.com/1253437 SUSE Bug 1253437