Описание
ELSA-2026-6632: kernel security update (MODERATE)
[6.12.0-124.49.1]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Update module name for cryptographic module [Orabug: 37400433]
- Clean git history at setup stage
[6.12.0-124.49.1]
- net/mlx5: Fix ECVF vports unload on shutdown flow (CKI Backport Bot) [RHEL-154540] {CVE-2025-38109}
- mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (Rafael Aquini) [RHEL-150480] {CVE-2026-23144}
- ALSA: aloop: Fix racy access at PCM trigger (CKI Backport Bot) [RHEL-150132] {CVE-2026-23191}
[6.12.0-124.48.1]
- ice: fix page leak for zero-size Rx descriptors (CKI Backport Bot) [RHEL-154232]
- Bluetooth: MGMT: Fix memory leak in set_ssp_complete (David Marlin) [RHEL-151786]
- Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work (David Marlin) [RHEL-151786]
- Bluetooth: btusb: revert use of devm_kzalloc in btusb (David Marlin) [RHEL-151786]
- Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (David Marlin) [RHEL-151786]
- net/sched: cls_u32: use skb_header_pointer_careful() (Paolo Abeni) [RHEL-150406] {CVE-2026-23204}
- net: add skb_header_pointer_careful() helper (Paolo Abeni) [RHEL-150406]
- bonding: fix use-after-free due to enslave fail after slave array update (CKI Backport Bot) [RHEL-152391] {CVE-2026-23171}
- scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (CKI Backport Bot) [RHEL-150426] {CVE-2026-23193}
- macvlan: observe an RCU grace period in macvlan_common_newlink() error path (Hangbin Liu) [RHEL-150229]
- macvlan: fix error recovery in macvlan_common_newlink() (CKI Backport Bot) [RHEL-150229] {CVE-2026-23209}
- media: uvcvideo: Drop stream->mutex (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Fix comments in uvc_meta_detect_msxu (Kate Hsuan) [RHEL-128622]
- media: usb: uvcvideo: Store v4l2_fh pointer in file->private_data (Kate Hsuan) [RHEL-128622]
- media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Use a count variable for meta_formats instead of 0 terminating (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Auto-set UVC_QUIRK_MSXU_META (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Introduce V4L2_META_FMT_UVC_MSXU_1_5 (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Introduce dev->meta_formats (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Do not mark valid metadata as invalid (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: uvc_v4l2_unlocked_ioctl: Invert PM logic (Kate Hsuan) [RHEL-128622]
- media: core: export v4l2_translate_cmd (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Turn on the camera if V4L2_EVENT_SUB_FL_SEND_INITIAL (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Remove stream->is_streaming field (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Split uvc_stop_streaming() (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Handle locks in uvc_queue_return_buffers (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Use vb2 ioctl and fop helpers (Kate Hsuan) [RHEL-128622]
- media: v4l2-common: Add the missing Raw Bayer pixel formats (Kate Hsuan) [RHEL-128622]
- media: v4l2-subdev: Add debug prints to v4l2_subdev_collect_streams() (Kate Hsuan) [RHEL-128622]
- media: v4l2-subdev: Print early in v4l2_subdev_{enable,disable}_streams() (Kate Hsuan) [RHEL-128622]
- media: v4l2: Add Renesas Camera Receiver Unit pixel formats (Kate Hsuan) [RHEL-128622]
- media: v4l2-subdev: Limit the number of active routes to V4L2_FRAME_DESC_ENTRY_MAX (Kate Hsuan) [RHEL-128622]
- media: v4l2-ctrls: Return the handler's error in v4l2_ctrl_handler_free() (Kate Hsuan) [RHEL-128622]
- media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() (Kate Hsuan) [RHEL-128622]
- media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (Kate Hsuan) [RHEL-128622]
- media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (Kate Hsuan) [RHEL-128622]
- media: v4l2-jpeg: Remove unused v4l2_jpeg_parse_* wrappers (Kate Hsuan) [RHEL-128622]
- media: v4l2-core: Replace the check for firmware registered I2C devices (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (Kate Hsuan) [RHEL-128622] {CVE-2025-38680}
- media: uvcvideo: Add quirk for HP Webcam HD 2300 (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Refactor uvc_v4l2_compat_ioctl32 (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Refactor uvc_queue_streamon (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Refactor uvc_ctrl_set_handle() (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Populate all errors in uvc_probe() (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Set V4L2_CTRL_FLAG_DISABLED during queryctrl errors (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Fix bandwidth issue for Alcor camera (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Use dev_err_probe for devm_gpiod_get_optional (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Fix deferred probing error (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Rollback non processed entities on error (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Send control events for partial succeeds (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Return the number of processed controls (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Do not turn on the camera for some ioctls (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Make power management granular (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Increase/decrease the PM counter per IOCTL (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Create uvc_pm_(get|put) functions (Kate Hsuan) [RHEL-128622]
- media: uvcvideo: Keep streaming state in the file handle (Kate Hsuan) [RHEL-128622]
- media: Add C3ISP_PARAMS and C3ISP_STATS meta formats (Kate Hsuan) [RHEL-128622]
- media: v4l: subdev: Fix coverity issue: Logically dead code (Kate Hsuan) [RHEL-128622]
- media: v4l2-dev: fix error handling in __video_register_device() (Kate Hsuan) [RHEL-128622]
- media: common: Add v4l2_find_nearest_size_conditional() (Kate Hsuan) [RHEL-128622]
- media: v4l2-common: Add RGBR format info (Kate Hsuan) [RHEL-128622]
- media: v4l2: Add NV15 and NV20 pixel formats (Kate Hsuan) [RHEL-128622]
- media: v4l2-common: Add helpers to calculate bytesperline and sizeimage (Kate Hsuan) [RHEL-128622]
- media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() (Kate Hsuan) [RHEL-128622]
- media: v4l2-core: use (t,l)/wxh format for rectangle (Kate Hsuan) [RHEL-128622]
- media: v4l2-core: Introduce v4l2_query_ext_ctrl_to_v4l2_queryctrl (Kate Hsuan) [RHEL-128622]
- media: v4l2: Remove vidioc_s_ctrl callback (Kate Hsuan) [RHEL-128622]
- media: v4l2: Remove vidioc_g_ctrl callback (Kate Hsuan) [RHEL-128622]
- media: v4l2: Remove vidioc_queryctrl callback (Kate Hsuan) [RHEL-128622]
- media: ioctl: Simulate v4l2_queryctrl with v4l2_query_ext_ctrl (Kate Hsuan) [RHEL-128622]
- media: v4l2-dv-timings: add v4l2_num_edid_blocks() helper (Kate Hsuan) [RHEL-128622]
- media: v4l: Memset argument to 0 before calling get_mbus_config pad op (Kate Hsuan) [RHEL-128622]
- media: v4l: Support obtaining link frequency via get_mbus_config (Kate Hsuan) [RHEL-128622]
- media: v4l: Support passing media pad argument to v4l2_get_link_freq() (Kate Hsuan) [RHEL-128622]
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
kernel-headers
6.12.0-124.49.1.el10_1
perf
6.12.0-124.49.1.el10_1
python3-perf
6.12.0-124.49.1.el10_1
rtla
6.12.0-124.49.1.el10_1
rv
6.12.0-124.49.1.el10_1
kernel-tools
6.12.0-124.49.1.el10_1
kernel-tools-libs
6.12.0-124.49.1.el10_1
kernel-cross-headers
6.12.0-124.49.1.el10_1
kernel-tools-libs-devel
6.12.0-124.49.1.el10_1
libperf
6.12.0-124.49.1.el10_1
Oracle Linux x86_64
kernel
6.12.0-124.49.1.el10_1
kernel-abi-stablelists
6.12.0-124.49.1.el10_1
kernel-core
6.12.0-124.49.1.el10_1
kernel-debug
6.12.0-124.49.1.el10_1
kernel-debug-core
6.12.0-124.49.1.el10_1
kernel-debug-modules
6.12.0-124.49.1.el10_1
kernel-debug-modules-core
6.12.0-124.49.1.el10_1
kernel-debug-modules-extra
6.12.0-124.49.1.el10_1
kernel-debug-uki-virt
6.12.0-124.49.1.el10_1
kernel-modules
6.12.0-124.49.1.el10_1
kernel-modules-core
6.12.0-124.49.1.el10_1
kernel-modules-extra
6.12.0-124.49.1.el10_1
kernel-modules-extra-matched
6.12.0-124.49.1.el10_1
kernel-tools
6.12.0-124.49.1.el10_1
kernel-tools-libs
6.12.0-124.49.1.el10_1
kernel-uki-virt
6.12.0-124.49.1.el10_1
kernel-uki-virt-addons
6.12.0-124.49.1.el10_1
kernel-debug-devel
6.12.0-124.49.1.el10_1
kernel-debug-devel-matched
6.12.0-124.49.1.el10_1
kernel-devel
6.12.0-124.49.1.el10_1
kernel-devel-matched
6.12.0-124.49.1.el10_1
kernel-doc
6.12.0-124.49.1.el10_1
kernel-headers
6.12.0-124.49.1.el10_1
perf
6.12.0-124.49.1.el10_1
python3-perf
6.12.0-124.49.1.el10_1
rtla
6.12.0-124.49.1.el10_1
rv
6.12.0-124.49.1.el10_1
kernel-cross-headers
6.12.0-124.49.1.el10_1
kernel-tools-libs-devel
6.12.0-124.49.1.el10_1
libperf
6.12.0-124.49.1.el10_1
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vp...
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vp...