Security update for the Linux Kernel (Live Patch 0 for SUSE Linux Enterprise 16) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20149-1 Final 1 1 2026-01-26T11:24:31Z current 2026-01-26T11:24:31Z 2026-01-26T11:24:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 0 for SUSE Linux Enterprise 16) This update for the SUSE Linux Enterprise kernel 6.12.0-160000.5.1 fixes various security issues The following security issues were fixed: - CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1246019). - CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248672). - CVE-2025-38554: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped (bsc#1248301). - CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400). - CVE-2025-38588: ipv6: prevent infinite loop in rt6_nlmsg_size() (bsc#1249241). - CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248670). - CVE-2025-38616: tls: handle data disappearing from under the TLS ULP (bsc#1249537). - CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1249208). - CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1249207). - CVE-2025-38664: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (bsc#1248631). - CVE-2025-39682: tls: fix handling of zero-length records on the rx_list (bsc#1250192). - CVE-2025-39963: io_uring: fix incorrect io_kiocb reference in io_link_skb (bsc#1251982). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437). - CVE-2025-40212: nfsd: fix refcount leak in nfsd_set_fh_dentry() (bsc#1254196). The following non security issues were fixed: - Explicitly add module-common.c with vermagic and retpoline modinfo (bsc#1252270). - powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs (bsc#1251956). - fix addr_bit_set() issue on big-endian machines (bsc#1256928). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-196 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ Link for SUSE-SU-2026:20149-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023950.html E-Mail link for SUSE-SU-2026:20149-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246019 SUSE Bug 1246019 https://bugzilla.suse.com/1248301 SUSE Bug 1248301 https://bugzilla.suse.com/1248400 SUSE Bug 1248400 https://bugzilla.suse.com/1248631 SUSE Bug 1248631 https://bugzilla.suse.com/1248670 SUSE Bug 1248670 https://bugzilla.suse.com/1248672 SUSE Bug 1248672 https://bugzilla.suse.com/1249207 SUSE Bug 1249207 https://bugzilla.suse.com/1249208 SUSE Bug 1249208 https://bugzilla.suse.com/1249241 SUSE Bug 1249241 https://bugzilla.suse.com/1249537 SUSE Bug 1249537 https://bugzilla.suse.com/1250192 SUSE Bug 1250192 https://bugzilla.suse.com/1251956 SUSE Bug 1251956 https://bugzilla.suse.com/1251982 SUSE Bug 1251982 https://bugzilla.suse.com/1252270 SUSE Bug 1252270 https://bugzilla.suse.com/1253437 SUSE Bug 1253437 https://bugzilla.suse.com/1254196 SUSE Bug 1254196 https://bugzilla.suse.com/1256928 SUSE Bug 1256928 https://www.suse.com/security/cve/CVE-2024-53164/ SUSE CVE CVE-2024-53164 page https://www.suse.com/security/cve/CVE-2025-38500/ SUSE CVE CVE-2025-38500 page https://www.suse.com/security/cve/CVE-2025-38554/ SUSE CVE CVE-2025-38554 page https://www.suse.com/security/cve/CVE-2025-38572/ SUSE CVE CVE-2025-38572 page https://www.suse.com/security/cve/CVE-2025-38588/ SUSE CVE CVE-2025-38588 page https://www.suse.com/security/cve/CVE-2025-38608/ SUSE CVE CVE-2025-38608 page https://www.suse.com/security/cve/CVE-2025-38616/ SUSE CVE CVE-2025-38616 page https://www.suse.com/security/cve/CVE-2025-38617/ SUSE CVE CVE-2025-38617 page https://www.suse.com/security/cve/CVE-2025-38618/ SUSE CVE CVE-2025-38618 page https://www.suse.com/security/cve/CVE-2025-38664/ SUSE CVE CVE-2025-38664 page https://www.suse.com/security/cve/CVE-2025-39682/ SUSE CVE CVE-2025-39682 page https://www.suse.com/security/cve/CVE-2025-39963/ SUSE CVE CVE-2025-39963 page https://www.suse.com/security/cve/CVE-2025-40204/ SUSE CVE CVE-2025-40204 page https://www.suse.com/security/cve/CVE-2025-40212/ SUSE CVE CVE-2025-40212 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 as a component of SUSE Linux Enterprise Server 16.0 kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ordering of qlen adjustment Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen _before_ a call to said function because otherwise it may fail to notify parent qdiscs when the child is about to become empty. CVE-2024-53164 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2024-53164.html CVE-2024-53164 https://bugzilla.suse.com/1234863 SUSE Bug 1234863 https://bugzilla.suse.com/1246019 SUSE Bug 1246019 In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] </TASK> CVE-2025-38500 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38500.html CVE-2025-38500 https://bugzilla.suse.com/1248088 SUSE Bug 1248088 https://bugzilla.suse.com/1248672 SUSE Bug 1248672 In the Linux kernel, the following vulnerability has been resolved: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb@google.com: v3] CVE-2025-38554 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38554.html CVE-2025-38554 https://bugzilla.suse.com/1248299 SUSE Bug 1248299 https://bugzilla.suse.com/1248301 SUSE Bug 1248301 In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 CVE-2025-38572 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38572.html CVE-2025-38572 https://bugzilla.suse.com/1248399 SUSE Bug 1248399 https://bugzilla.suse.com/1248400 SUSE Bug 1248400 In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list. Restart the loop if f6i->fib6_nsiblings is zero. CVE-2025-38588 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38588.html CVE-2025-38588 https://bugzilla.suse.com/1248368 SUSE Bug 1248368 https://bugzilla.suse.com/1249241 SUSE Bug 1249241 In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete "Application Data" packet, leading to errors on the receiving end when parsing TLS record. CVE-2025-38608 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38608.html CVE-2025-38608 https://bugzilla.suse.com/1248338 SUSE Bug 1248338 https://bugzilla.suse.com/1248670 SUSE Bug 1248670 In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place. CVE-2025-38616 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38616.html CVE-2025-38616 https://bugzilla.suse.com/1248512 SUSE Bug 1248512 https://bugzilla.suse.com/1249537 SUSE Bug 1249537 In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history. CVE-2025-38617 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38617.html CVE-2025-38617 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1248621 SUSE Bug 1248621 https://bugzilla.suse.com/1249208 SUSE Bug 1249208 https://bugzilla.suse.com/1253291 SUSE Bug 1253291 In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY. CVE-2025-38618 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38618.html CVE-2025-38618 https://bugzilla.suse.com/1248511 SUSE Bug 1248511 https://bugzilla.suse.com/1249207 SUSE Bug 1249207 In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. CVE-2025-38664 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-38664.html CVE-2025-38664 https://bugzilla.suse.com/1248628 SUSE Bug 1248628 https://bugzilla.suse.com/1248631 SUSE Bug 1248631 In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length. CVE-2025-39682 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-39682.html CVE-2025-39682 https://bugzilla.suse.com/1249284 SUSE Bug 1249284 https://bugzilla.suse.com/1250192 SUSE Bug 1250192 In the Linux kernel, the following vulnerability has been resolved: io_uring: fix incorrect io_kiocb reference in io_link_skb In io_link_skb function, there is a bug where prev_notif is incorrectly assigned using 'nd' instead of 'prev_nd'. This causes the context validation check to compare the current notification with itself instead of comparing it with the previous notification. Fix by using the correct prev_nd parameter when obtaining prev_notif. CVE-2025-39963 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-39963.html CVE-2025-39963 https://bugzilla.suse.com/1251819 SUSE Bug 1251819 https://bugzilla.suse.com/1251982 SUSE Bug 1251982 In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. CVE-2025-40204 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-40204.html CVE-2025-40204 https://bugzilla.suse.com/1253436 SUSE Bug 1253436 https://bugzilla.suse.com/1253437 SUSE Bug 1253437 In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected. CVE-2025-40212 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_5-default-5-160000.4.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1/ https://www.suse.com/security/cve/CVE-2025-40212.html CVE-2025-40212 https://bugzilla.suse.com/1254195 SUSE Bug 1254195