ELSA-2025-9080

Опубликовано: 17 июн. 2025

Источник: oracle-oval

Платформа: Oracle Linux 9

Описание

ELSA-2025-9080: kernel security update (IMPORTANT)

[5.14.0-570.22.1.0.1_6.OL9]

nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
Disable UKI signing [Orabug: 36571828]
Update Oracle Linux certificates (Kevin Lyons)
Disable signing for aarch64 (Ilya Okomin)
Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
Update x509.genkey [Orabug: 24817676]
Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
Add Oracle Linux IMA certificates
Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-570.22.1_6]

Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (David Marlin) [RHEL-87890] {CVE-2025-21969}
Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (David Marlin) [RHEL-87890] {CVE-2025-21969}
Revert 'SUNRPC: Revert e0a912e8ddba' (Benjamin Coddington) [RHEL-94811]
mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio (Jay Shin) [RHEL-92291]
mm: fix crashes from deferred split racing folio migration (Jay Shin) [RHEL-92291] {CVE-2024-42234}
mm: memcg: fix split queue list crash when large folio migration (Jay Shin) [RHEL-92291]
proc: fix UAF in proc_get_inode() (Ian Kent) [RHEL-86808] {CVE-2025-21999}
cifs: Fix integer overflow while processing acdirmax mount option (Paulo Alcantara) [RHEL-87941] {CVE-2025-21963}
wifi: cfg80211: init wiphy_work before allocating rfkill fails (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979}
wifi: cfg80211: cancel wiphy_work before freeing wiphy (CKI Backport Bot) [RHEL-87931] {CVE-2025-21979}
eth: bnxt: fix truesize for mb-xdp-pass case (CKI Backport Bot) [RHEL-88328] {CVE-2025-21961}
vmxnet3: unregister xdp rxq info in the reset path (CKI Backport Bot) [RHEL-92471]
md: fix mddev uaf while iterating all_mddevs list (CKI Backport Bot) [RHEL-89062] {CVE-2025-22126}
nvme: print firmware bug note for non-unique identifiers (Bryan Gurney) [RHEL-91163]
nvme-pci: add BOGUS_NID quirk for Samsung PM1733 (Bryan Gurney) [RHEL-91163]
media: v4l2-mediabus: Drop V4L2_MBUS_CSI2_CONTINUOUS_CLOCK flag (Kate Hsuan) [RHEL-90323]
media: v4l2-mediabus: Drop legacy V4L2_MBUS_CSI2_CHANNEL_* flags (Kate Hsuan) [RHEL-90323]
media: v4l2-mediabus: Use structures to describe bus configuration (Kate Hsuan) [RHEL-90323]
media: v4l2-fwnode: Move bus config structure to v4l2_mediabus.h (Kate Hsuan) [RHEL-90323]
sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (Phil Auld) [RHEL-86302]
smb: client: fix UAF in decryption with multichannel (CKI Backport Bot) [RHEL-94460] {CVE-2025-37750}

Обновленные пакеты

Oracle Linux 9

Oracle Linux aarch64

kernel-cross-headers

5.14.0-570.22.1.0.1.el9_6

kernel-tools-libs-devel

5.14.0-570.22.1.0.1.el9_6

kernel-tools

5.14.0-570.22.1.0.1.el9_6

kernel-tools-libs

5.14.0-570.22.1.0.1.el9_6

python3-perf

5.14.0-570.22.1.0.1.el9_6

kernel-headers

5.14.0-570.22.1.0.1.el9_6

perf

5.14.0-570.22.1.0.1.el9_6

rtla

5.14.0-570.22.1.0.1.el9_6

Oracle Linux x86_64

kernel

5.14.0-570.22.1.0.1.el9_6

kernel-abi-stablelists

5.14.0-570.22.1.0.1.el9_6

kernel-core

5.14.0-570.22.1.0.1.el9_6

kernel-debug

5.14.0-570.22.1.0.1.el9_6

kernel-debug-core

5.14.0-570.22.1.0.1.el9_6

kernel-debug-modules

5.14.0-570.22.1.0.1.el9_6

kernel-debug-modules-core

5.14.0-570.22.1.0.1.el9_6

kernel-debug-modules-extra

5.14.0-570.22.1.0.1.el9_6

kernel-debug-uki-virt

5.14.0-570.22.1.0.1.el9_6

kernel-modules

5.14.0-570.22.1.0.1.el9_6

kernel-modules-core

5.14.0-570.22.1.0.1.el9_6

kernel-modules-extra

5.14.0-570.22.1.0.1.el9_6

kernel-tools

5.14.0-570.22.1.0.1.el9_6

kernel-tools-libs

5.14.0-570.22.1.0.1.el9_6

kernel-uki-virt

5.14.0-570.22.1.0.1.el9_6

kernel-uki-virt-addons

5.14.0-570.22.1.0.1.el9_6

python3-perf

5.14.0-570.22.1.0.1.el9_6

kernel-debug-devel

5.14.0-570.22.1.0.1.el9_6

kernel-debug-devel-matched

5.14.0-570.22.1.0.1.el9_6

kernel-devel

5.14.0-570.22.1.0.1.el9_6

kernel-devel-matched

5.14.0-570.22.1.0.1.el9_6

kernel-doc

5.14.0-570.22.1.0.1.el9_6

kernel-headers

5.14.0-570.22.1.0.1.el9_6

perf

5.14.0-570.22.1.0.1.el9_6

rtla

5.14.0-570.22.1.0.1.el9_6

kernel-cross-headers

5.14.0-570.22.1.0.1.el9_6

kernel-tools-libs-devel

5.14.0-570.22.1.0.1.el9_6

libperf

5.14.0-570.22.1.0.1.el9_6

Связанные CVE

Ссылки на источники

Связанные уязвимости

ELSA-2025-9079

oracle-oval

17 дней назад

ELSA-2025-9079: kernel security update (IMPORTANT)

CVE-2025-22126

ubuntu

3 месяца назад

In the Linux kernel, the following vulnerability has been resolved: md: fix mddev uaf while iterating all_mddevs list While iterating all_mddevs list from md_notify_reboot() and md_exit(), list_for_each_entry_safe is used, and this can race with deletint the next mddev, causing UAF: t1: spin_lock //list_for_each_entry_safe(mddev, n, ...) mddev_get(mddev1) // assume mddev2 is the next entry spin_unlock t2: //remove mddev2 ... mddev_free spin_lock list_del spin_unlock kfree(mddev2) mddev_put(mddev1) spin_lock //continue dereference mddev2->all_mddevs The old helper for_each_mddev() actually grab the reference of mddev2 while holding the lock, to prevent from being freed. This problem can be fixed the same way, however, the code will be complex. Hence switch to use list_for_each_entry, in this case mddev_put() can free the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor out a helper mddev_put_locked() to fix this problem.

CVE-2025-22126

CVSS3: 7

redhat

3 месяца назад

CVE-2025-22126

nvd

3 месяца назад

CVE-2025-22126

msrc

9 дней назад

Описание отсутствует