RLSA-2025:20518

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: can: isotp: fix potential CAN frame reception race in isotp_rcv() (CVE-2022-48830)

• kernel: soc: qcom: cmd-db: Map shared memory as WC, not WB (CVE-2024-46689)

• kernel: Squashfs: sanity check symbolic link size (CVE-2024-46744)

• kernel: vfs: fix race between eviceinodes() and findinode()&iput() (CVE-2024-47679)

• kernel: x86/tdx: Fix "in-kernel MMIO" check (CVE-2024-47727)

• kernel: rxrpc: Fix a race between socket set up and I/O thread creation (CVE-2024-49864)

• kernel: io_uring: check if we need to reschedule during overflow flush (CVE-2024-50060)

• kernel: can: mcan: pci: add missing mcanclassfree_dev() in probe/remove methods (CVE-2022-49024)

• kernel: posix-clock: Fix missing timespec64 check in pcclocksettime() (CVE-2024-50195)

• kernel: rxrpc: Fix missing locking causing hanging calls (CVE-2024-50294)

• kernel: iouring/rw: fix missing NOWAIT check for ODIRECT start write (CVE-2024-53052)

• kernel: afs: Fix lock recursion (CVE-2024-53090)

• kernel: virtio/vsock: Fix accept_queue memory leak (CVE-2024-53119)

• kernel: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (CVE-2024-53135)

• kernel: xen: Xen hypercall page unsafe against speculative attacks (Xen Security Advisory 466) (CVE-2024-53241)

• kernel: RDMA/rxe: Fix the qp flush warnings in req (CVE-2024-53229)

• kernel: block: fix uaf for flush rq while iterating tags (CVE-2024-53170)

• kernel: nfsd: release svcexpkey/svcexport with rcu_work (CVE-2024-53216)

• kernel: net: afcan: do not leave a dangling sk pointer in cancreate() (CVE-2024-56603)

• kernel: blk-cgroup: Fix UAF in blkcgunpinonline() (CVE-2024-56672)

• kernel: acpi: nfit: vmalloc-out-of-bounds Read in acpinfitctl (CVE-2024-56662)

• kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors (CVE-2024-56675)

• kernel: can: j1939: j1939sessionnew(): fix skb reference counting (CVE-2024-56645)

• kernel: crypto: pcrypt - Call crypto layer directly when padatadoparallel() return -EBUSY (CVE-2024-56690)

• kernel: io_uring: check if iowq is killed before queuing (CVE-2024-56709)

• kernel: rtc: check if _rtcreadtime was successful in rtctimerdowork() (CVE-2024-56739)

• kernel: bpf: put bpf_link's program when link is safe to be deallocated (CVE-2024-56786)

• kernel: igb: Fix potential invalid memory access in igbinitmodule() (CVE-2024-52332)

• kernel: ipvs: fix UB due to uninitialized stack access in ipvsprotocol_init() (CVE-2024-53680)

• kernel: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (CVE-2025-21648)

• kernel: sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647)

• kernel: block, bfq: fix wakerbfqq UAF after bfqsplit_bfqq() (CVE-2025-21631)

• kernel: zram: fix potential UAF of zram table (CVE-2025-21671)

• kernel: afs: Fix merge preference rule failure condition (CVE-2025-21672)

• kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug (CVE-2025-21693)

• kernel: cachestat: fix page cache statistics permission checking (CVE-2025-21691)

• kernel: mm: clear uffd-wp PTE/PMD state on mremap() (CVE-2025-21696)

• kernel: pfifotailenqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702)

• kernel: usbnet: fix memory leak in error case (CVE-2022-49657)

• kernel: powerpc/xics: fix refcount leak in icpopalinit() (CVE-2022-49432)

• kernel: net: tun: unlink NAPI from device on destruction (CVE-2022-49672)

• kernel: powerpc/papr_scm: don't requests stats with '0' sized stats buffer (CVE-2022-49353)

• kernel: powerpc/xive: Fix refcount leak in xivespaprinit (CVE-2022-49437)

• kernel: ima: Fix potential memory leak in imainitcrypto() (CVE-2022-49627)

• kernel: linux/dim: Fix divide by 0 in RDMA DIM (CVE-2022-49670)

• kernel: can: isotp: sanitize CAN ID checks in isotp_bind() (CVE-2022-49269)

• kernel: ima: Fix a potential integer overflow in imaappraisemeasurement (CVE-2022-49643)

• kernel: powerpc/xive/spapr: correct bitmap allocation size (CVE-2022-49623)

• kernel: efi: Do not import certificates from UEFI Secure Boot for T2 Macs (CVE-2022-49357)

• kernel: list: fix a data-race around ep->rdllist (CVE-2022-49443)

• kernel: tracing/histograms: Fix memory leak problem (CVE-2022-49648)

• kernel: Input: synaptics - fix crash when enabling pass-through port (CVE-2025-21746)

• kernel: NFSD: fix hang in nfsd4shutdowncallback (CVE-2025-21795)

• kernel: bpf: Send signals asynchronously if !preemptible (CVE-2025-21728)

• kernel: NFS: Fix potential buffer overflowin nfssysfslinkrpcclient() (CVE-2024-54456)

• kernel: Bluetooth: btrtl: check for NULL in btrtlsetuprealtek() (CVE-2024-57987)

• kernel: wifi: brcmsmac: add gain range check to wlcphyiqcalgainparamsnphy() (CVE-2024-58014)

• kernel: Bluetooth: btbcm: Fix NULL deref in btbcmgetboard_name() (CVE-2024-57988)

• kernel: RDMA/mlx5: Fix implicit ODP use after free (CVE-2025-21714)

• kernel: drm/xe/tracing: Fix a potential TP_printk UAF (CVE-2024-49570)

• kernel: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check (CVE-2024-57993)

• kernel: wifi: rtw89: fix race between cancelhwscan and hw_scan completion (CVE-2025-21729)

• kernel: wifi: mt76: mt7925: fix NULL deref check in mt7925changevif_links (CVE-2024-57989)

• kernel: wifi: ath12k: Fix for out-of bound access error (CVE-2024-58015)

• kernel: OPP: add index check to assert to avoid buffer overflow in readfreq() (CVE-2024-57998)

• kernel: wifi: ath12k: fix read pointer after free in ath12kmacassignvifto_vdev() (CVE-2024-57995)

• kernel: nfsd: clear aclaccess/acldefault after releasing them (CVE-2025-21796)

• kernel: scsi: ufs: core: Fix use-after free in init error and remove paths (CVE-2025-21739)

• kernel: workqueue: Put the pwq after detaching the rescuer from the pool (CVE-2025-21786)

• kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (CVE-2025-21738)

• kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986)

• kernel: padata: avoid UAF for reorder_work (CVE-2025-21726)

• kernel: vrf: use RCU protection in l3mdevl3out() (CVE-2025-21791)

• kernel: team: better TEAMOPTIONTYPE_STRING validation (CVE-2025-21787)

• kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981)

• kernel: vxlan: check vxlanvnigroupinit() return value (CVE-2025-21790)

• kernel: wifi: mt76: mt7925: fix off by one in mt7925loadclc() (CVE-2024-57990)

• kernel: ipv6: use RCU protection in ip6defaultadvmss() (CVE-2025-21765)

• kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params (CVE-2024-58012)

• kernel: blk-cgroup: Fix class @block_class's subsystem refcount leakage (CVE-2025-21745)

• kernel: net: let net.core.dev_weight always be non-zero (CVE-2025-21806)

• kernel: wifi: rtlwifi: remove unused checkbuddypriv (CVE-2024-58072)

• kernel: OPP: fix devpmoppfindbw_*() when bandwidth table not initialized (CVE-2024-58068)

• kernel: wifi: iwlwifi: mvm: avoid NULL pointer dereference (CVE-2024-58062)

• kernel: idpf: convert workqueues to unbound (CVE-2024-58057)

• kernel: wifi: mac80211: don't flush non-uploaded STAs (CVE-2025-21828)

• kernel: KVM: Explicitly verify target vCPU is online in kvmgetvcpu() (CVE-2024-58083)

• kernel: netfilter: nftables: reject mismatching sum of fieldlen with set key length (CVE-2025-21826)

• kernel: ASoC: soc-pcm: don't use socpcmret() on .prepare callback (CVE-2024-58077)

• kernel: crypto: tegra - do not transfer req when tegra init fails (CVE-2024-58075)

• kernel: RDMA/rxe: Fix the warning "_rxecleanup+0x12c/0x170 [rdma_rxe]" (CVE-2025-21829)

• kernel: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (CVE-2025-21839)

• kernel: iouring/uringcmd: unconditionally copy SQEs at prep time (CVE-2025-21837)

• kernel: information leak via transient execution vulnerability in some AMD processors (CVE-2024-36350)

• kernel: transient execution vulnerability in some AMD processors (CVE-2024-36357)

• kernel: bpf: Fix softlockup in arenamapfree on 64k page kernel (CVE-2025-21851)

• kernel: ibmvnic: Don't reference skb after sending to VIOS (CVE-2025-21855)

• kernel: smb: client: Add check for nextbuffer in receiveencrypted_standard() (CVE-2025-21844)

• kernel: bpf: avoid holding freeze_mutex during mmap operation (CVE-2025-21853)

• kernel: ASoC: SOF: stream-ipc: Check for cstream nullity in sofipcmsg_data() (CVE-2025-21847)

• kernel: tcp: drop secpath at the same time as we currently drop dst (CVE-2025-21864)

• kernel: bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088)

• kernel: acct: perform last write from workqueue (CVE-2025-21846)

• kernel: mm/migratedevice: don't add folio to be freed to LRU in migratedevice_finalize() (CVE-2025-21861)

• kernel: io_uring: prevent opcode speculation (CVE-2025-21863)

• kernel: nfp: bpf: Add check for nfpappctrlmsgalloc() (CVE-2025-21848)

• kernel: netfilter: nfttunnel: fix geneveopt type confusion addition (CVE-2025-22056)

• kernel: can: j1939: j1939sendone(): fix missing CAN header initialization (CVE-2022-49845)

• kernel: usb: typec: ucsi: displayport: Fix NULL pointer access (CVE-2025-37994)

• kernel: wifi: ath12k: fix uaf in ath12kcoreinit() (CVE-2025-38116)

• kernel: fs: export anoninodemakesecureinode() and fix secretmem LSM bypass (CVE-2025-38396)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 9 Release Notes linked from the References section.