OESA-2025-2764

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:ext4: fix out-of-bound read in ext4xattrinodedecrefall()There s issue as follows:BUG: KASAN: use-after-free in ext4xattrinodedecrefall+0x6ff/0x790Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172CPU: 3 PID: 15172 Comm: syz-executor.0Call Trace: _dumpstack lib/dumpstack.c:82 [inline] dumpstack+0xbe/0xfd lib/dumpstack.c:123 printaddressdescription.constprop.0+0x1e/0x280 mm/kasan/report.c:400 _kasanreport.cold+0x6c/0x84 mm/kasan/report.c:560 kasanreport+0x3a/0x50 mm/kasan/report.c:585 ext4xattrinodedecrefall+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4xattrdeleteinode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4evictinode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iputfinal fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4orphancleanup fs/ext4/super.c:3298 [inline] ext4fillsuper+0x8c57/0xba40 fs/ext4/super.c:5300 mountbdev+0x355/0x410 fs/super.c:1446 legacygettree+0xfe/0x220 fs/fscontext.c:611 vfsgettree+0x8d/0x2f0 fs/super.c:1576 donewmount fs/namespace.c:2983 [inline] pathmount+0x119a/0x1ad0 fs/namespace.c:3316 domount+0xfc/0x110 fs/namespace.c:3329 _dosysmount fs/namespace.c:3540 [inline] _sesysmount+0x219/0x2e0 fs/namespace.c:3514 dosyscall64+0x33/0x40 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x67/0xd1Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffAbove issue happens as ext4xattrdeleteinode() isn t check xattris valid if xattr is in inode.To solve above issue call xattrcheckinode() check if xattr if validin inode. In fact, we can directly verify in ext4igetextra_inode(),so that there is no divergent verification.(CVE-2025-22121)

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2025-39751)

In the Linux kernel, the following vulnerability has been resolved:

crypto: essiv - Check ssize for decryption and in-place encryption

Move the ssize check to the start in essivaeadcrypt so that it's also checked for decryption and in-place encryption.(CVE-2025-40019)

In the Linux kernel, a memory leak vulnerability exists. Cilium's BPF egress gateway feature redirects K8s Pod traffic through vxlan tunnels to dedicated egress gateways. When using the bpfredirectneigh() helper to forward packets, vxlan allocates metadatadst objects and attaches them to skb through fake dst entries. However, since bpfredirectneigh() only sets new dst entries without first dropping existing ones, the metadatadst objects are never released, causing continuous increase in kmalloc-256 slab usage.(CVE-2025-40183)

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: Fix object lifecycle issue in updateqosrequest(). The cpufreqcpuput() call in updateqosrequest() takes place too early because the latter subsequently calls freqqosupdaterequest() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, updateqosrequest() is called under intelpstatedriverlock, so this issue does not matter for changing the intelpstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying updateqosrequest() to drop the reference to the policy later.(CVE-2025-40194)