Red Hat Security Advisory: kernel security update
🔗 CVE IDs covered (143)
📋 Description
CVE-2022-48830 — kernel: can: isotp: fix potential CAN frame reception race in isotp_rcv() CVE-2022-49024 — kernel: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods CVE-2022-49269 — kernel: can: isotp: sanitize CAN ID checks in isotp_bind() CVE-2022-49353 — kernel: powerpc/papr_scm: don't requests stats with '0' sized stats buffer CVE-2022-49357 — kernel: efi: Do not import certificates from UEFI Secure Boot for T2 Macs CVE-2022-49432 — kernel: powerpc/xics: fix refcount leak in icp_opal_init() CVE-2022-49437 — kernel: powerpc/xive: Fix refcount leak in xive_spapr_init CVE-2022-49443 — kernel: list: fix a data-race around ep->rdllist CVE-2022-49623 — kernel: powerpc/xive/spapr: correct bitmap allocation size CVE-2022-49627 — kernel: ima: Fix potential memory leak in ima_init_crypto() CVE-2022-49643 — kernel: ima: Fix a potential integer overflow in ima_appraise_measurement CVE-2022-49648 — kernel: tracing/histograms: Fix memory leak problem CVE-2022-49657 — kernel: usbnet: fix memory leak in error case CVE-2022-49670 — kernel: linux/dim: Fix divide by 0 in RDMA DIM CVE-2022-49672 — kernel: net: tun: unlink NAPI from device on destruction CVE-2022-49845 — kernel: can: j1939: j1939_send_one(): fix missing CAN header initialization CVE-2022-50143 — kernel: intel_th: Fix a resource leak in an error handling path CVE-2022-50504 — kernel: powerpc/rtas: avoid scheduling in rtas_os_term() CVE-2023-52941 — kernel: can: isotp: split tx timer into transmission and timeout CVE-2023-53426 — kernel: Linux kernel: Denial of Service in xsk_diag due to use-after-free during socket cleanup CVE-2023-53781 — kernel: smc: Fix use-after-free in tcp_write_timer_handler() CVE-2023-54119 — kernel: inotify: Avoid reporting event with invalid wd CVE-2023-54152 — kernel: Linux kernel (CAN J1939): Denial of Service via deadlock CVE-2023-54237 — kernel: net/smc: fix potential panic dues to unprotected smc_llc_srv_add_link() CVE-2023-54318 — kernel: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add CVE-2024-36350 — kernel: information leak via transient execution vulnerability in some AMD processors CVE-2024-36357 — kernel: transient execution vulnerability in some AMD processors CVE-2024-46689 — kernel: soc: qcom: cmd-db: Map shared memory as WC, not WB CVE-2024-46744 — kernel: Squashfs: sanity check symbolic link size CVE-2024-47679 — kernel: vfs: fix race between evice_inodes() and find_inode()&iput() CVE-2024-47727 — kernel: x86/tdx: Fix "in-kernel MMIO" check CVE-2024-49570 — kernel: drm/xe/tracing: Fix a potential TP_printk UAF CVE-2024-49864 — kernel: rxrpc: Fix a race between socket set up and I/O thread creation CVE-2024-50060 — kernel: io_uring: check if we need to reschedule during overflow flush CVE-2024-50195 — kernel: posix-clock: Fix missing timespec64 check in pc_clock_settime() CVE-2024-50294 — kernel: rxrpc: Fix missing locking causing hanging calls CVE-2024-52332 — kernel: igb: Fix potential invalid memory access in igb_init_module() CVE-2024-53052 — kernel: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write CVE-2024-53090 — kernel: afs: Fix lock recursion CVE-2024-53119 — kernel: virtio/vsock: Fix accept_queue memory leak CVE-2024-53135 — kernel: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN CVE-2024-53170 — kernel: block: fix uaf for flush rq while iterating tags CVE-2024-53229 — kernel: RDMA/rxe: Fix the qp flush warnings in req CVE-2024-53241 — kernel: xen: Xen hypercall page unsafe against speculative attacks (Xen Security Advisory 466) CVE-2024-53680 — kernel: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() CVE-2024-54456 — kernel: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() CVE-2024-56603 — kernel: net: af_can: do not leave a dangling sk pointer in can_create() CVE-2024-56645 — kernel: can: j1939: j1939_session_new(): fix skb reference counting CVE-2024-56662 — kernel: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl CVE-2024-56672 — kernel: blk-cgroup: Fix UAF in blkcg_unpin_online() CVE-2024-56675 — kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors CVE-2024-56690 — kernel: crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY CVE-2024-56709 — kernel: io_uring: check if iowq is killed before queuing CVE-2024-56739 — kernel: rtc: check if __rtc_read_time was successful in rtc_timer_do_work() CVE-2024-56786 — kernel: bpf: put bpf_link's program when link is safe to be deallocated CVE-2024-57981 — kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts CVE-2024-57986 — kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections CVE-2024-57987 — kernel: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() CVE-2024-57988 — kernel: Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() CVE-2024-57989 — kernel: wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links CVE-2024-57990 — kernel: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() CVE-2024-57993 — kernel: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check CVE-2024-57995 — kernel: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() CVE-2024-57998 — kernel: OPP: add index check to assert to avoid buffer overflow in read_freq() CVE-2024-58012 — kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params CVE-2024-58014 — kernel: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() CVE-2024-58015 — kernel: wifi: ath12k: Fix for out-of bound access error CVE-2024-58057 — kernel: idpf: convert workqueues to unbound CVE-2024-58062 — kernel: wifi: iwlwifi: mvm: avoid NULL pointer dereference CVE-2024-58068 — kernel: OPP: fix dev_pm_opp_find_bw*() when bandwidth table not initialized CVE-2024-58072 — kernel: wifi: rtlwifi: remove unused check_buddy_priv CVE-2024-58075 — kernel: crypto: tegra - do not transfer req when tegra init fails CVE-2024-58077 — kernel: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback CVE-2024-58083 — kernel: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() CVE-2024-58088 — kernel: bpf: Fix deadlock when freeing cgroup storage CVE-2025-21631 — kernel: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() CVE-2025-21647 — kernel: sched: sch_cake: add bounds checks to host bulk flow fairness counts CVE-2025-21648 — kernel: netfilter: conntrack: clamp maximum hashtable size to INT_MAX CVE-2025-21671 — kernel: zram: fix potential UAF of zram table CVE-2025-21672 — kernel: afs: Fix merge preference rule failure condition CVE-2025-21691 — kernel: cachestat: fix page cache statistics permission checking CVE-2025-21693 — kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug CVE-2025-21696 — kernel: mm: clear uffd-wp PTE/PMD state on mremap() CVE-2025-21702 — kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 CVE-2025-21714 — kernel: RDMA/mlx5: Fix implicit ODP use after free CVE-2025-21726 — kernel: padata: avoid UAF for reorder_work CVE-2025-21727 — kernel: padata: fix UAF in padata_reorder CVE-2025-21728 — kernel: bpf: Send signals asynchronously if !preemptible CVE-2025-21729 — kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion CVE-2025-21738 — kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer CVE-2025-21739 — kernel: scsi: ufs: core: Fix use-after free in init error and remove paths CVE-2025-21745 — kernel: blk-cgroup: Fix class @block_class's subsystem refcount leakage CVE-2025-21746 — kernel: Input: synaptics - fix crash when enabling pass-through port CVE-2025-21765 — kernel: ipv6: use RCU protection in ip6_default_advmss() CVE-2025-21786 — kernel: workqueue: Put the pwq after detaching the rescuer from the pool CVE-2025-21787 — kernel: team: better TEAM_OPTION_TYPE_STRING validation CVE-2025-21790 — kernel: vxlan: check vxlan_vnigroup_init() return value CVE-2025-21791 — kernel: vrf: use RCU protection in l3mdev_l3_out() CVE-2025-21795 — kernel: NFSD: fix hang in nfsd4_shutdown_callback CVE-2025-21796 — kernel: nfsd: clear acl_access/acl_default after releasing them CVE-2025-21806 — kernel: net: let net.core.dev_weight always be non-zero CVE-2025-21826 — kernel: netfilter: nf_tables: reject mismatching sum of field_len with set key length CVE-2025-21828 — kernel: wifi: mac80211: don't flush non-uploaded STAs CVE-2025-21829 — kernel: RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" CVE-2025-21837 — kernel: io_uring/uring_cmd: unconditionally copy SQEs at prep time CVE-2025-21839 — kernel: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop CVE-2025-21844 — kernel: smb: client: Add check for next_buffer in receive_encrypted_standard() CVE-2025-21846 — kernel: acct: perform last write from workqueue CVE-2025-21847 — kernel: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() CVE-2025-21848 — kernel: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() CVE-2025-21851 — kernel: bpf: Fix softlockup in arena_map_free on 64k page kernel CVE-2025-21853 — kernel: bpf: avoid holding freeze_mutex during mmap operation CVE-2025-21855 — kernel: ibmvnic: Don't reference skb after sending to VIOS CVE-2025-21861 — kernel: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() CVE-2025-21863 — kernel: io_uring: prevent opcode speculation CVE-2025-21864 — kernel: tcp: drop secpath at the same time as we currently drop dst CVE-2025-21902 — kernel: acpi: typec: ucsi: Introduce a ->poll_cci method CVE-2025-22056 — kernel: netfilter: nft_tunnel: fix geneve_opt type confusion addition CVE-2025-22086 — kernel: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow CVE-2025-22089 — kernel: RDMA/core: Don't expose hw_counters outside of init net namespace CVE-2025-22092 — kernel: PCI: Fix NULL dereference in SR-IOV VF creation error path CVE-2025-22097 — kernel: drm/vkms: Fix use after free and double free on init error CVE-2025-22111 — kernel: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. CVE-2025-22116 — kernel: idpf: check error for register_netdev() on init CVE-2025-22119 — kernel: wifi: cfg80211: init wiphy_work before allocating rfkill fails CVE-2025-23129 — kernel: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path CVE-2025-37825 — kernel: nvmet: fix out-of-bounds access in nvmet_enable_port CVE-2025-37849 — kernel: KVM: arm64: Tear down vGIC on failed vCPU creation CVE-2025-37994 — kernel: usb: typec: ucsi: displayport: Fix NULL pointer access CVE-2025-38000 — kernel: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() CVE-2025-38013 — kernel: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request CVE-2025-38075 — kernel: Linux kernel: Denial of Service due to NULL pointer dereference in iSCSI target NOPIN timer handling CVE-2025-38116 — kernel: wifi: ath12k: fix uaf in ath12k_core_init() CVE-2025-38127 — kernel: ice: fix Tx scheduler error handling in XDP callback CVE-2025-38234 — kernel: sched/rt: Fix race in push_rt_task CVE-2025-38288 — kernel: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels CVE-2025-38322 — kernel: perf/x86/intel: Fix crash in icl_update_topdown_event() CVE-2025-38332 — kernel: scsi: lpfc: Use memcpy() for BIOS version CVE-2025-38396 — kernel: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass CVE-2025-38438 — kernel: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. CVE-2025-38527 — kernel: smb: client: fix use-after-free in cifs_oplock_break CVE-2026-23146 — kernel: Linux kernel: Denial of Service in Bluetooth HCI UART driver via null pointer dereference CVE-2026-23205 — kernel: smb/client: fix memory leak in smb2_open_file()
🔗 References (123)
- selfhttps://access.redhat.com/errata/RHSA-2025:20518
- externalhttps://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.7_release_notes/index
- externalhttps://access.redhat.com/security/updates/classification/#moderate
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2298169
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2312077
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2313092
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2320172
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2320259
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2320455
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2320616
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2320722
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2324549
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2327203
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2327374
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2327887
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2329918
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2330341
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2331326
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334357
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334396
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334415
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334439
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334537
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334547
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334548
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334560
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334676
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334795
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2334829
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2336541
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2337121
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2337124
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2338814
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2338828
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2338832
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2343172
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2343175
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2344684
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2344687
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2345240
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2346272
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347707
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347753
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347759
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347781
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347807
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347859
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347919
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2347968
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348022
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348071
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348238
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348240
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348279
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348515
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348523
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348528
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348541
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348543
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348547
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348550
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348554
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348556
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348566
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348573
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348574
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348577
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348578
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348581
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348584
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348585
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348587
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348595
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348597
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348600
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348601
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348615
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348620
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348625
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348634
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348645
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348650
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348654
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2348901
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350363
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350367
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350374
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350375
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350386
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350388
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350392
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350396
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350397
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350400
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350585
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350589
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350725
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2350726
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351606
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351608
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351612
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351613
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351616
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351618
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351620
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351624
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351625
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351629
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2351633
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2360215
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2363380
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2369184
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2376076
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2383441
- externalhttps://issues.redhat.com/browse/RHEL-331
- externalhttps://issues.redhat.com/browse/RHEL-52839
- externalhttps://issues.redhat.com/browse/RHEL-68997
- externalhttps://issues.redhat.com/browse/RHEL-73706
- externalhttps://issues.redhat.com/browse/RHEL-81900
- externalhttps://issues.redhat.com/browse/RHEL-86487
- externalhttps://issues.redhat.com/browse/RHEL-90133
- externalhttps://issues.redhat.com/browse/RHEL-94578
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_20518.json