OESA-2025-2080

The Linux Kernel, the operating system core itself.

Security Fix(es):

A vulnerability was found in Linux Kernel up to 6.15.3 (Operating System). It has been rated as problematic.Using CWE to declare the problem leads to CWE-252. The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Impacted is confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch 119766de4930ff40db9f36b960cb53b0c400e81b/33163c68d2e3061fa3935b5f0a1867958b1cdbd2/9da3e442714f7f4393ff01c265c4959c03e88c2f/9a350f30d65197354706b7759b5c89d6c267b1a9/6bd2569d0b2f918e9581f744df0263caf73ee76c/4da7fcc098218ff92b2e83a43f545c02f714cedd/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72/9ad0452c0277b816a435433cca601304cfac7c21 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-19447).(CVE-2025-38086)

In the Linux kernel, the following vulnerability has been resolved:

schhfsc: make hfscqlen_notify() idempotent

hfscqlennotify() is not idempotent either and not friendly to its callers, like fqcodeldequeue(). Let's make it idempotent to ease qdisctreereduce_backlog() callers' life:

1. updatevf() decreases cl->clnactive, so we can check whether it is non-zero before calling it.

2. eltreeremove() always removes RB node cl->elnode, but we can use RBEMPTYNODE() + RBCLEARNODE() to make it safe.(CVE-2025-38177)

A vulnerability was found in Linux Kernel up to 6.16-rc2 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-911. The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Impacted is availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc3 eliminates this vulnerability. Applying the patch 956f1499412ed0953f6a116df7fdb855e9f1fc66/f4ae0f61dd9a63329ecb49b1e6356139d43240b8/dc724bd34d56f5589f7587a091a8cda2386826c4/058dd4a370f23a5553a9449f2db53d5bfa88d45e/bde8833eb075ba8e8674de88e32de6b669966451/988edde4d52d5c02ea4dd95d7619372a5e2fb7b7/d092c7fd8e220b23d6c47e03d7d0cc79e731f379/10876da918fa1aec0227fb4c67647513447f53a9 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38181)

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.15.3 (Operating System).The manipulation of the argument ext4prepareinline_data with an unknown input leads to a unknown weakness.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch d3dfc60efd145df5324b99a244b0b05505cde29b/717414a8c083c376d4a8940a1230fe0c6ed4ee00/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8/cf5f319a2d8ab8238f8cf3a19463b9bff6420934/26e09d18599da0adc543eabd300080daaeda6869/5766da2237e539f259aa0e5f3639ae37b44ca458/e80ee0263d88d77f2fd1927f915003a7066cbb50/227cb4ca5a6502164f850d22aec3104d7888b270 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-20034).(CVE-2025-38222)

A vulnerability was found in Linux Kernel up to 6.16-rc4 (Operating System). It has been classified as critical.CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 5.4.296, 5.10.240, 5.15.187, 6.1.144, 6.6.97, 6.12.37, 6.15.6 or 6.16-rc5 eliminates this vulnerability. Applying the patch 3b290923ad2b23596208c1e29520badef4356a43/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7/e269f29e9395527bc00c213c6b15da04ebb35070/7874c9c132e906a52a187d045995b115973c93fb/f680a4643c6f71e758d8fe0431a958e9a6a4f59d/a553afd91f55ff39b1e8a1c4989a29394c9e0472/a44acdd9e84a211989ff4b9b92bf3545d8456ad5/103406b38c600fec1fe375a77b27d87e314aea09 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38350)

A vulnerability classified as critical was found in Linux Kernel up to 6.16-rc2 (Operating System).The manipulation of the argument method with an unknown input leads to a unknown weakness. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.296, 5.10.240, 5.15.187, 6.1.144, 6.6.97, 6.12.37, 6.15.6 or 6.16-rc3 eliminates this vulnerability. Applying the patch b49d224d1830c46e20adce2a239c454cdab426f1/2219e49857ffd6aea1b1ca5214d3270f84623a16/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5/4305d936abde795c2ef6ba916de8f00a50f64d2d/d547779e72cea9865b732cd45393c4cd02b3598e/18ff4ed6a33a7e3f2097710eacc96bea7696e803/c9e4da550ae196132b990bd77ed3d8f2d9747f87/6fcab2791543924d438e7fa49276d0998b0a069f is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38386)

A vulnerability was found in Linux Kernel up to 6.15.2 (Operating System). It has been declared as problematic.The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch db7096ea160e40d78c67fce52e7cc51bde049497/549f9e3d7b60d53808c98b9fde49b4f46d0524a5/5c51aa862cbeed2f3887f0382a2708956710bd68/6abf6b78c6fb112eee495f5636ffcc350dd2ce25/4f99357dadbf9c979ad737156ad4c37fadf7c56b/0aff95d9bc7fb5400ca8af507429c4b067bdb425/295ab18c2dbce8d0ac6ecf7c5187e16e1ac8b282/734aa85390ea693bb7eaf2240623d41b03705c84 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38415)

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: Fix stack memory use after return in raid1_reshape

In the raid1reshape function, newpool is allocated on the stack and assigned to conf->r1biopool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic.

Example access path:

raid1reshape() { // newpool is on the stack mempoolt newpool, oldpool; // initialize newpool.wait.head to stack address mempoolinit(&newpool, ...); conf->r1biopool = newpool; }

raid1readrequest() or raid1writerequest() { allocr1bio() { mempoolalloc() { // if pool->alloc fails removeelement() { --pool->currnr; } } } }

mempoolfree() { if (pool->currnr < pool->minnr) { // pool->wait.head is a stack address // wakeup() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } }

Fix: reinit conf->r1bio_pool.wait after assigning newpool.(CVE-2025-38445)

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.16-rc5 (Operating System).Impacted is confidentiality, integrity, and availability.Upgrading to version 5.4.296, 5.10.240, 5.15.189, 6.1.146, 6.6.99, 6.12.39, 6.15.7 or 6.16-rc6 eliminates this vulnerability. Applying the patch 923a276c74e25073ae391e930792ac86a9f77f1e/90436e72c9622c2f70389070088325a3232d339f/25452638f133ac19d75af3f928327d8016952c8e/23c165dde88eac405eebb59051ea1fe139a45803/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af/8ecd651ef24ab50123692a4e3e25db93cb11602a/e28a383d6485c3bb51dc5953552f76c4dea33eea/ffdde7bf5a439aaa1955ebd581f5c64ab1533963 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38457)

A vulnerability was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System). It has been rated as problematic.Impacted is confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9/5dd6a441748dad2f02e27b256984ca0b2d4546b6/65c666aff44eb7f9079c55331abd9687fb77ba2d/bfe8ef373986e8f185d3d6613eb1801a8749837a/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38474)

In the Linux kernel, the following vulnerability has been resolved:

HID: core: do not bypass hidhwraw_request

hidhwraw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used.(CVE-2025-38494)

A vulnerability was found in Linux Kernel up to 6.15.6 (Operating System). It has been rated as critical.Using CWE to declare the problem leads to CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use.Impacted is availability.Upgrading to version 5.4.296, 5.10.240, 5.15.189, 6.1.146, 6.6.99, 6.12.39 or 6.15.7 eliminates this vulnerability. Applying the patch 549a9c78c3ea6807d0dc4162a4f5ba59f217d5a0/e62f51d0ec8a9baf324caf9a564f8e318d36a551/ef841f8e4e1ff67817ca899bedc5ebb00847c0a7/f9a4f28a4fc4ee453a92a9abbe36e26224d17749/c64f5310530baf75328292f9b9f3f2961d185183/e2d6547dc8b9b332f9bc00875197287a6a4db65a/ef58a95457466849fa7b31fd3953801a5af0f58b/8af39ec5cf2be522c8eb43a3d8005ed59e4daaee is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38515)