Описание
ELSA-2025-23947: kernel security update (MODERATE)
[3.10.0-1160.119.1.0.16]
- net: sched: sfb: fix null pointer access issue when sfb_init() fails {CVE-2022-50356} [Orabug: 38790244]
- fs: fix UAF/GPF bug in nilfs_mdt_destroy {CVE-2022-50367} [Orabug: 38790244]
- iomap: iomap: fix memory corruption when recording {CVE-2022-50406} [Orabug: 38790244]
- mm: fix zswap writeback race condition {CVE-2023-53178} [Orabug: 38790244]
- Bluetooth: L2CAP: fix 'bad unlock balance' in l2cap_disconnect_rsp {CVE-2023-53297} [Orabug: 38790244]
- scsi: qla2xxx: Wait for io return on terminate rport {CVE-2023-53322} [Orabug: 38790244]
- ALSA: usb-audio: Validate UAC3 power domain descriptors, too {CVE-2025-38729} [Orabug: 38790244]
- ALSA: usb-audio: Validate UAC3 cluster segment descriptors {CVE-2025-39757} [Orabug: 38790244]
- tcp: fix potential double free issue for fastopen_req [Orabug: 38790244]
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() {CVE-2025-39955} [Orabug: 38790244]
- NFSD: Protect against send buffer overflow in NFSv2 READ {CVE-2022-50410} [Orabug: 38790244]
- ext4: fix undefined behavior in bit shift for ext4_check_flag_values {CVE-2022-50403} [Orabug: 38790244]
[3.10.0-1160.119.1.0.15]
- Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() {CVE-2022-3640} [Orabug: 38742878]
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put [Orabug: 38742878]
- Bluetooth: L2CAP: Fix user-after-free {CVE-2022-50386} [Orabug: 38742878]
- wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() {CVE-2022-50408} [Orabug: 38742878]
- Bluetooth: L2CAP: Fix use-after-free {CVE-2023-53305} [Orabug: 38742878]
- ip6mr: Fix skb_under_panic in ip6mr_cache_report() {CVE-2023-53365} [Orabug: 38742878]
- sctp: linearize cloned gso packets in sctp_rcv {CVE-2025-38718} [Orabug: 38742878]
[3.10.0-1160.119.1.0.14]
- HID: core: fix shift-out-of-bounds in hid_report_raw_event {CVE-2022-48978} [Orabug: 38644370]
- crypto: seqiv - Handle EBUSY correctly {CVE-2023-53373} [Orabug: 38644370]
- nfsd: don't ignore the return code of svc_proc_register() {CVE-2025-22026} [Orabug: 38644370]
- net_sched: hfsc: Fix a UAF vulnerability in class handling {CVE-2025-37797} [Orabug: 38644370]
- HID: core: Harden s32ton() against conversion to 0 bits {CVE-2025-38556} [Orabug: 38644370]
- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control {CVE-2025-39751} [Orabug: 38644370]
[3.10.0-1160.119.1.0.13]
- ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() {CVE-2022-48701} [Orabug: 38493400]
- md-raid10: fix KASAN warning {CVE-2022-50211} [Orabug: 38493400]
- ALSA: bcd2000: Fix a UAF bug on the error path of probing {CVE-2022-50229} [Orabug: 38493400]
- net: usb: smsc75xx: Limit packet length to skb->len {CVE-2023-53125} [Orabug: 38493400]
- i40e: fix MMIO write access to an invalid page in i40e_clear_hw {CVE-2025-38200} [Orabug: 38493400]
- net/sched: sch_qfq: Fix race condition on qfq_aggregate {CVE-2025-38477} [Orabug: 38493400]
[3.10.0-1160.119.1.0.12]
- scsi: lpfc: Use memcpy() for BIOS version (CVE-2025-38332) [Orabug: 38414589]
- posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (CVE-2025-38352) [Orabug: 38414589]
[3.10.0-1160.119.1.0.11]
- kernel: media: uvcvideo: Fix double free in error path (CVE-2024-57980)
- kernel: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CVE-2025-21928)
- kernel: ext4: fix off-by-one error in do_split (CVE-2025-23150)
- kernel: misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() (CVE-2022-49788)
- kernel: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000)
- kernel: ext4: avoid resizing to a partial cluster size (CVE-2022-50020)
- kernel: drivers:md:fix a potential use-after-free bug (CVE-2022-50022)
- kernel: sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-38177)
- kernel: net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350)
- crypto: algif_hash - fix double free in hash_accept (CVE-2025-38079)
[3.10.0-1160.119.1.0.10]
- net: atlantic: fix aq_vec index out of range error (Chia-Lin Kao) {CVE-2022-50066} [Orabug: 38201271]
- net: atm: fix use after free in lec_send() (Dan Carpenter) {CVE-2025-22004} [Orabug: 38201271]
[3.10.0-1160.119.1.0.9]
- netfilter: ipset: add missing range check in bitmap_ip_uadt (Jeongjun Park) {CVE-2024-53141} [Orabug: 37964173]
- Update OL SB certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985797]
[3.10.0-1160.119.1.0.8]
- ALSA: usb-audio: Fix out of bounds reads when finding clock sources (Takashi Iwai) {CVE-2024-53150} [Orabug: 37830084]
[3.10.0-1160.119.1.0.7]
- ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (Benoit Sevens) {CVE-2024-53197} [Orabug: 37686305]
- can: bcm: Fix UAF in bcm_proc_show() (YueHaibing) {CVE-2023-52922} [Orabug: 37686305]
- HID: core: zero-initialize the report buffer (Benoit Sevens) {CVE-2024-50302} [Orabug: 37686305]
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
bpftool
3.10.0-1160.119.1.0.16.el7
kernel
3.10.0-1160.119.1.0.16.el7
kernel-abi-whitelists
3.10.0-1160.119.1.0.16.el7
kernel-debug
3.10.0-1160.119.1.0.16.el7
kernel-debug-devel
3.10.0-1160.119.1.0.16.el7
kernel-devel
3.10.0-1160.119.1.0.16.el7
kernel-doc
3.10.0-1160.119.1.0.16.el7
kernel-headers
3.10.0-1160.119.1.0.16.el7
kernel-tools
3.10.0-1160.119.1.0.16.el7
kernel-tools-libs
3.10.0-1160.119.1.0.16.el7
kernel-tools-libs-devel
3.10.0-1160.119.1.0.16.el7
perf
3.10.0-1160.119.1.0.16.el7
python-perf
3.10.0-1160.119.1.0.16.el7
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_create+0x3eb/0x1000 t...
In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_create+0x3eb/0x1000 t...
In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_crea
In the Linux kernel, the following vulnerability has been resolved: n ...
In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_c...