{"id":"OESA-2025-2056","summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded.(CVE-2025-22097)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: at76c50x: fix use after free access in at76_disconnect\n\nThe memory pointed to by priv is freed at the end of at76_delete_device\nfunction (using ieee80211_free_hw). But the code then accesses the udev\nfield of the freed object to put the USB device. This may also lead to a\nmemory leak of the usb device. Fix this by using udev from interface.(CVE-2025-37796)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncodel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()\n\nAfter making all ->qlen_notify() callbacks idempotent, now it is safe to\nremove the check of qlen!=0 from both fq_codel_dequeue() and\ncodel_qdisc_dequeue().(CVE-2025-37798)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: qfq: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of qfq, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nThis patch checks whether the class was already added to the agg->active\nlist (cl_is_active) before doing the addition to cater for the reentrant\ncase.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/(CVE-2025-37913)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: drr: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of drr, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether the\nclass was already added to the active_list (cl_is_active) before adding\nto the list to cover for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/(CVE-2025-37915)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last\nderef") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id's last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   </TASK>\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---(CVE-2025-38211)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: prevent NULL deref in clip_push()\n\nBlamed commit missed that vcc_destroy_socket() calls\nclip_push() with a NULL skb.\n\nIf clip_devs is NULL, clip_push() then crashes when reading\nskb->truesize.(CVE-2025-38251)\n\nA vulnerability was found in Linux Kernel up to 6.16-rc4 (Operating System) and classified as problematic.Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.Impacted is confidentiality.Upgrading to version 5.15.189, 6.1.144, 6.6.97, 6.12.37, 6.15.6 or 6.16-rc5 eliminates this vulnerability. Applying the patch 982beb7582c193544eb9c6083937ec5ac1c9d651/6aca3dad2145e864dfe4d1060f45eb1bac75dd58/80b971be4c37a4d23a7f1abc5ff33dc7733d649b/bc68bc3563344ccdc57d1961457cdeecab8f81ef/11f2d0e8be2b5e784ac45fa3da226492c3e506d8/315dbdd7cdf6aa533829774caaf4d25f1fd20e73 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38375)\n\nA vulnerability was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System). It has been classified as critical.CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch ac3a8147bb24314fb3e84986590148e79f9872ec/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0/a0075accbf0d76c2dad1ad3993d2e944505d99a0 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38473)\n\nA vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch d3ed1d84a84538a39b3eb2055d6a97a936c108f2/fcda39a9c5b834346088c14b1374336b079466c1/a262370f385e53ff7470efdcdaf40468e5756717/a47d9d9895bad9ce0e840a39836f19ca0b2a343a/4f15ee98304b96e164ff2340e1dfd6181c3f42aa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38495)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject %p% format string in bprintf-like helpers\n\nstatic const char fmt[] = "%p%";\n    bpf_trace_printk(fmt, sizeof(fmt));\n\nThe above BPF program isn't rejected and causes a kernel warning at\nruntime:\n\n    Please remove unsupported %\\x00 in format string\n    WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0\n\nThis happens because bpf_bprintf_prepare skips over the second %,\ndetected as punctuation, while processing %p. This patch fixes it by\nnot skipping over punctuation. %\\x00 is then processed in the next\niteration and rejected.(CVE-2025-38528)","modified":"2026-03-11T07:11:34.125140Z","published":"2025-08-22T11:36:27Z","upstream":["CVE-2025-22097","CVE-2025-37796","CVE-2025-37798","CVE-2025-37913","CVE-2025-37915","CVE-2025-38211","CVE-2025-38251","CVE-2025-38375","CVE-2025-38473","CVE-2025-38495","CVE-2025-38528"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2056"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22097"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37796"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37798"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37913"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38211"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38251"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38375"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38473"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38495"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38528"}],"affected":[{"package":{"name":"kernel","ecosystem":"openEuler:24.03-LTS-SP2","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-24.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-106.0.0.112.oe2403sp2"}]}],"ecosystem_specific":{"src":["kernel-6.6.0-106.0.0.112.oe2403sp2.src.rpm"],"x86_64":["bpftool-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","bpftool-debuginfo-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-debuginfo-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-debugsource-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-devel-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-extra-modules-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-headers-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-source-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-tools-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-tools-debuginfo-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","kernel-tools-devel-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","perf-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","perf-debuginfo-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","python3-perf-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm","python3-perf-debuginfo-6.6.0-106.0.0.112.oe2403sp2.x86_64.rpm"],"aarch64":["bpftool-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","bpftool-debuginfo-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-debuginfo-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-debugsource-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-devel-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-extra-modules-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-headers-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-source-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-tools-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-tools-debuginfo-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","kernel-tools-devel-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","perf-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","perf-debuginfo-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","python3-perf-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm","python3-perf-debuginfo-6.6.0-106.0.0.112.oe2403sp2.aarch64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2025-2056.json"}}],"schema_version":"1.7.5"}