OESA-2025-1871

The Linux Kernel, the operating system core itself.

Security Fix(es):

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. There is a security vulnerability in Linux kernel, which originates from a qlen count error in sch_hfsc, which may cause inconsistent queue statistics.(CVE-2025-38000)

In the Linux kernel, the following vulnerability has been resolved:

media: cxusb: no longer judge rbuf when the write fails

syzbot reported a uninit-value in cxusbi2cxfer. [1]

Only when the write operation of usbbulkmsg() in dvbusbgenericrw() succeeds and rlen is greater than 0, the read operation of usbbulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf.

In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized.

[1] BUG: KMSAN: uninit-value in cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 _i2ctransfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2ctransfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2ctransferbufferflags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2cmastersend include/linux/i2c.h:109 [inline] i2cdevwrite+0x210/0x280 drivers/i2c/i2c-dev.c:183 doloopreadvwritev fs/readwrite.c:848 [inline] vfswritev+0x963/0x14e0 fs/readwrite.c:1057 dowritev+0x247/0x5c0 fs/readwrite.c:1101 _dosyswritev fs/readwrite.c:1169 [inline] _sesyswritev fs/readwrite.c:1166 [inline] _x64syswritev+0x98/0xe0 fs/readwrite.c:1166 x64syscall+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls64.h:21 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f(CVE-2025-38229)

A vulnerability has been found in Linux Kernel up to 6.15.2 (Operating System) and classified as critical.The CWE definition for the vulnerability is CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch 44ebe361abb322d2afd77930fa767a99f271c4d1/147ea936fc6fa8fe0c93f0df918803a5375ca535/ee90be48edb3dac612e0b7f5332482a9e8be2696/e167414beabb1e941fe563a96becc98627d5bdf6/6d8f39875a10a194051c3eaefebc7ac06a34aaf3/c98cdf6795a36bca163ebb40411fef1687b9eb13/18e8cbbae79cb35bdce8a01c889827b9799c762e/3880cdbed1c4607e378f58fa924c5d6df900d1d3 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38285)

A vulnerability was found in Linux Kernel up to 6.16-rc2 (Operating System). It has been declared as problematic.The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc3 eliminates this vulnerability. Applying the patch 64773b3ea09235168a549a195cba43bb867c4a17/67abac27d806e8f9d4226ec1528540cf73af673a/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38/01f91d415a8375d85e0c7d3615cd4a168308bb7c/21da6d3561f373898349ca7167c9811c020da695/22f935bc86bdfbde04009f05eee191d220cd8c89/422e565b7889ebfd9c8705a3fc786642afe61fca/39dfc971e42d886e7df01371cd1bef505076d84c is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-20926).(CVE-2025-38320)

A vulnerability was found in Linux Kernel up to 6.15.3 (Operating System). It has been declared as critical.The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch d064c68781c19f378af1ae741d9132d35d24b2bb/8690cd3258455bbae64f809e1d3ee0f043661c71/6805582abb720681dd1c87ff677f155dcf4e86c9/03a162933c4a03b9f1a84f7d8482903c7e1e11bb/83a692a9792aa86249d68a8ac0b9d55ecdd255fa/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c/f78a786ad9a5443a29eef4dae60cde85b7375129/f914b52c379c12288b7623bb814d0508dbe7481d is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38346)