RHSA-2025:20095MediumCVSS 7.8

Red Hat Security Advisory: kernel security update

Published
November 11, 2025
Last Modified
July 11, 2026

🔗 CVE IDs covered (122)

CVE-2025-21864CVE-2025-21702CVE-2024-36350CVE-2024-49570CVE-2024-57902CVE-2024-58015CVE-2025-22092CVE-2025-23129CVE-2025-38412CVE-2024-57986CVE-2025-21743CVE-2025-21777CVE-2025-21902CVE-2025-22025CVE-2025-22119CVE-2024-36357CVE-2024-58020CVE-2025-22086CVE-2025-37849CVE-2025-38116CVE-2025-21742CVE-2024-58012CVE-2024-58061CVE-2025-21828CVE-2025-21795CVE-2025-22089CVE-2025-38234CVE-2025-38288CVE-2025-21727CVE-2025-21785CVE-2025-21861CVE-2024-57941CVE-2025-21837 · pendingCVE-2024-28956CVE-2024-58004CVE-2025-21633 · pendingCVE-2025-21671CVE-2025-21791CVE-2025-22056CVE-2025-37749CVE-2025-21931CVE-2025-37994CVE-2025-38220CVE-2025-21741CVE-2024-58006CVE-2025-21761CVE-2025-21765CVE-2025-38683CVE-2024-58077CVE-2025-22116CVE-2024-53147CVE-2025-21846CVE-2025-22111CVE-2024-57942CVE-2024-57977CVE-2025-21750CVE-2024-57987CVE-2024-57988CVE-2025-21652CVE-2025-21655CVE-2024-57989CVE-2025-21693CVE-2025-21976CVE-2024-56662CVE-2025-22122CVE-2025-21691CVE-2025-21853CVE-2025-38322CVE-2025-21732CVE-2025-21786CVE-2025-38332CVE-2024-56690CVE-2025-21796CVE-2025-21826CVE-2025-21954CVE-2025-38468CVE-2024-58013CVE-2025-21738CVE-2025-21847CVE-2024-58069CVE-2024-58075CVE-2025-21680CVE-2025-38329CVE-2025-21857CVE-2025-38013CVE-2024-57901CVE-2024-53222CVE-2024-53241CVE-2024-54456CVE-2025-21790CVE-2025-38012CVE-2024-53216CVE-2025-38400CVE-2025-21844CVE-2025-21726CVE-2024-57984CVE-2024-58005CVE-2025-21771CVE-2024-52332CVE-2025-21855CVE-2024-57981CVE-2024-58072CVE-2025-38330CVE-2026-23146CVE-2024-56675CVE-2024-58014CVE-2024-58057CVE-2025-21851CVE-2025-21863CVE-2025-38438CVE-2025-71201CVE-2025-37821CVE-2025-38148CVE-2025-38200CVE-2024-58088CVE-2025-21647CVE-2025-21696CVE-2025-22105CVE-2025-38067CVE-2024-57995CVE-2025-38369CVE-2026-23205

📋 Description

CVE-2024-28956 — microcode_ctl: From CVEorg collector CVE-2024-36350 — kernel: information leak via transient execution vulnerability in some AMD processors CVE-2024-36357 — kernel: transient execution vulnerability in some AMD processors CVE-2024-49570 — kernel: drm/xe/tracing: Fix a potential TP_printk UAF CVE-2024-52332 — kernel: igb: Fix potential invalid memory access in igb_init_module() CVE-2024-53147 — kernel: exfat: fix out-of-bounds access of directory entries CVE-2024-53216 — kernel: nfsd: release svc_expkey/svc_export with rcu_work CVE-2024-53222 — kernel: zram: fix NULL pointer in comp_algorithm_show() CVE-2024-53241 — kernel: xen: Xen hypercall page unsafe against speculative attacks (Xen Security Advisory 466) CVE-2024-54456 — kernel: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() CVE-2024-56662 — kernel: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl CVE-2024-56675 — kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors CVE-2024-56690 — kernel: crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY CVE-2024-57901 — kernel: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK CVE-2024-57902 — kernel: af_packet: fix vlan_get_tci() vs MSG_PEEK CVE-2024-57941 — kernel: netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled CVE-2024-57942 — kernel: netfs: Fix ceph copy to cache on write-begin CVE-2024-57977 — kernel: memcg: fix soft lockup in the OOM process CVE-2024-57981 — kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts CVE-2024-57984 — kernel: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition CVE-2024-57986 — kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections CVE-2024-57987 — kernel: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() CVE-2024-57988 — kernel: Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() CVE-2024-57989 — kernel: wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links CVE-2024-57995 — kernel: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() CVE-2024-58004 — kernel: media: intel/ipu6: remove cpu latency qos request on error CVE-2024-58005 — kernel: tpm: Change to kvalloc() in eventlog/acpi.c CVE-2024-58006 — kernel: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() CVE-2024-58012 — kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params CVE-2024-58013 — kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync CVE-2024-58014 — kernel: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() CVE-2024-58015 — kernel: wifi: ath12k: Fix for out-of bound access error CVE-2024-58020 — kernel: HID: multitouch: Add NULL check in mt_input_configured CVE-2024-58057 — kernel: idpf: convert workqueues to unbound CVE-2024-58061 — kernel: wifi: mac80211: prohibit deactivating all links CVE-2024-58069 — kernel: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read CVE-2024-58072 — kernel: wifi: rtlwifi: remove unused check_buddy_priv CVE-2024-58075 — kernel: crypto: tegra - do not transfer req when tegra init fails CVE-2024-58077 — kernel: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback CVE-2024-58088 — kernel: bpf: Fix deadlock when freeing cgroup storage CVE-2025-21633 — kernel: io_uring/sqpoll: zero sqd->thread on tctx errors CVE-2025-21647 — kernel: sched: sch_cake: add bounds checks to host bulk flow fairness counts CVE-2025-21652 — kernel: ipvlan: Fix use-after-free in ipvlan_get_iflink(). CVE-2025-21655 — kernel: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period CVE-2025-21671 — kernel: zram: fix potential UAF of zram table CVE-2025-21680 — kernel: pktgen: Avoid out-of-bounds access in get_imix_entries CVE-2025-21691 — kernel: cachestat: fix page cache statistics permission checking CVE-2025-21693 — kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug CVE-2025-21696 — kernel: mm: clear uffd-wp PTE/PMD state on mremap() CVE-2025-21702 — kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 CVE-2025-21726 — kernel: padata: avoid UAF for reorder_work CVE-2025-21727 — kernel: padata: fix UAF in padata_reorder CVE-2025-21732 — kernel: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error CVE-2025-21738 — kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer CVE-2025-21741 — kernel: usbnet: ipheth: fix DPE OoB read CVE-2025-21742 — kernel: usbnet: ipheth: use static NDP16 location in URB CVE-2025-21743 — kernel: usbnet: ipheth: fix possible overflow in DPE length check CVE-2025-21750 — kernel: wifi: brcmfmac: Check the return value of of_property_read_string_index() CVE-2025-21761 — kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() CVE-2025-21765 — kernel: ipv6: use RCU protection in ip6_default_advmss() CVE-2025-21771 — kernel: sched_ext: Fix incorrect autogroup migration detection CVE-2025-21777 — kernel: ring-buffer: Validate the persistent meta data subbuf array CVE-2025-21785 — kernel: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array CVE-2025-21786 — kernel: workqueue: Put the pwq after detaching the rescuer from the pool CVE-2025-21790 — kernel: vxlan: check vxlan_vnigroup_init() return value CVE-2025-21791 — kernel: vrf: use RCU protection in l3mdev_l3_out() CVE-2025-21795 — kernel: NFSD: fix hang in nfsd4_shutdown_callback CVE-2025-21796 — kernel: nfsd: clear acl_access/acl_default after releasing them CVE-2025-21826 — kernel: netfilter: nf_tables: reject mismatching sum of field_len with set key length CVE-2025-21828 — kernel: wifi: mac80211: don't flush non-uploaded STAs CVE-2025-21837 — kernel: io_uring/uring_cmd: unconditionally copy SQEs at prep time CVE-2025-21844 — kernel: smb: client: Add check for next_buffer in receive_encrypted_standard() CVE-2025-21846 — kernel: acct: perform last write from workqueue CVE-2025-21847 — kernel: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() CVE-2025-21851 — kernel: bpf: Fix softlockup in arena_map_free on 64k page kernel CVE-2025-21853 — kernel: bpf: avoid holding freeze_mutex during mmap operation CVE-2025-21855 — kernel: ibmvnic: Don't reference skb after sending to VIOS CVE-2025-21857 — kernel: net/sched: cls_api: fix error handling causing NULL dereference CVE-2025-21861 — kernel: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() CVE-2025-21863 — kernel: io_uring: prevent opcode speculation CVE-2025-21864 — kernel: tcp: drop secpath at the same time as we currently drop dst CVE-2025-21902 — kernel: acpi: typec: ucsi: Introduce a ->poll_cci method CVE-2025-21931 — kernel: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio CVE-2025-21954 — kernel: netmem: prevent TX of unreadable skbs CVE-2025-21976 — kernel: fbdev: hyperv_fb: Allow graceful removal of framebuffer CVE-2025-22025 — kernel: nfsd: put dl_stid if fail to queue dl_recall CVE-2025-22056 — kernel: netfilter: nft_tunnel: fix geneve_opt type confusion addition CVE-2025-22086 — kernel: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow CVE-2025-22089 — kernel: RDMA/core: Don't expose hw_counters outside of init net namespace CVE-2025-22092 — kernel: PCI: Fix NULL dereference in SR-IOV VF creation error path CVE-2025-22105 — kernel: bonding: check xdp prog when set bond mode CVE-2025-22111 — kernel: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. CVE-2025-22116 — kernel: idpf: check error for register_netdev() on init CVE-2025-22119 — kernel: wifi: cfg80211: init wiphy_work before allocating rfkill fails CVE-2025-22122 — kernel: block: fix adding folio to bio CVE-2025-23129 — kernel: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path CVE-2025-37749 — kernel: net: ppp: Add bound checking for skb data on ppp_sync_txmung CVE-2025-37821 — kernel: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash CVE-2025-37849 — kernel: KVM: arm64: Tear down vGIC on failed vCPU creation CVE-2025-37994 — kernel: usb: typec: ucsi: displayport: Fix NULL pointer access CVE-2025-38012 — kernel: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator CVE-2025-38013 — kernel: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request CVE-2025-38067 — kernel: rseq: Fix segfault on registration when rseq_cs is non-zero CVE-2025-38116 — kernel: wifi: ath12k: fix uaf in ath12k_core_init() CVE-2025-38148 — kernel: net: phy: mscc: Fix memory leak when using one step timestamping CVE-2025-38200 — kernel: i40e: fix MMIO write access to an invalid page in i40e_clear_hw CVE-2025-38220 — kernel: ext4: only dirty folios when data journaling regular files CVE-2025-38234 — kernel: sched/rt: Fix race in push_rt_task CVE-2025-38288 — kernel: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels CVE-2025-38322 — kernel: perf/x86/intel: Fix crash in icl_update_topdown_event() CVE-2025-38329 — kernel: firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) CVE-2025-38330 — kernel: firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) CVE-2025-38332 — kernel: scsi: lpfc: Use memcpy() for BIOS version CVE-2025-38369 — kernel: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using CVE-2025-38400 — kernel: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails CVE-2025-38412 — kernel: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks CVE-2025-38438 — kernel: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. CVE-2025-38468 — kernel: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree CVE-2025-38683 — kernel: hv_netvsc: Fix panic during namespace deletion with VF CVE-2025-71201 — kernel: netfs: Fix early read unlock of page with EOF in middle CVE-2026-23146 — kernel: Linux kernel: Denial of Service in Bluetooth HCI UART driver via null pointer dereference CVE-2026-23205 — kernel: smb/client: fix memory leak in smb2_open_file()

🔗 References (100)