Issued at: 2025-11-27
Updated at: 2025-12-07
Synopsis
Moderate: kernel security update
Description
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
* kernel: xen: Xen hypercall page unsafe against speculative attacks (Xen Security Advisory 466) (CVE-2024-53241)
* kernel: exfat: fix out-of-bounds access of directory entries (CVE-2024-53147)
* kernel: zram: fix NULL pointer in comp_algorithm_show() (CVE-2024-53222)
* kernel: nfsd: release svc_expkey/svc_export with rcu_work (CVE-2024-53216)
* kernel: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl (CVE-2024-56662)
* kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors (CVE-2024-56675)
* kernel: crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY (CVE-2024-56690)
* kernel: igb: Fix potential invalid memory access in igb_init_module() (CVE-2024-52332)
* kernel: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK (CVE-2024-57901)
* kernel: af_packet: fix vlan_get_tci() vs MSG_PEEK (CVE-2024-57902)
* kernel: io_uring/sqpoll: zero sqd->thread on tctx errors (CVE-2025-21633)
* kernel: ipvlan: Fix use-after-free in ipvlan_get_iflink(). (CVE-2025-21652)
* kernel: sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647)
* kernel: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period (CVE-2025-21655)
* kernel: netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled (CVE-2024-57941)
* kernel: netfs: Fix ceph copy to cache on write-begin (CVE-2024-57942)
* kernel: zram: fix potential UAF of zram table (CVE-2025-21671)
* kernel: pktgen: Avoid out-of-bounds access in get_imix_entries (CVE-2025-21680)
* kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug (CVE-2025-21693)
* kernel: cachestat: fix page cache statistics permission checking (CVE-2025-21691)
* kernel: mm: clear uffd-wp PTE/PMD state on mremap() (CVE-2025-21696)
* kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702)
* kernel: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (CVE-2025-21732)
* kernel: NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795)
* kernel: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() (CVE-2024-54456)
* kernel: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() (CVE-2024-57987)
* kernel: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (CVE-2024-58014)
* kernel: Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() (CVE-2024-57988)
* kernel: drm/xe/tracing: Fix a potential TP_printk UAF (CVE-2024-49570)
* kernel: media: intel/ipu6: remove cpu latency qos request on error (CVE-2024-58004)
* kernel: usbnet: ipheth: use static NDP16 location in URB (CVE-2025-21742)
* kernel: usbnet: ipheth: fix possible overflow in DPE length check (CVE-2025-21743)
* kernel: wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links (CVE-2024-57989)
* kernel: wifi: ath12k: Fix for out-of bound access error (CVE-2024-58015)
* kernel: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() (CVE-2024-57995)
* kernel: nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796)
* kernel: workqueue: Put the pwq after detaching the rescuer from the pool (CVE-2025-21786)
* kernel: tpm: Change to kvalloc() in eventlog/acpi.c (CVE-2024-58005)
* kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (CVE-2024-58013)
* kernel: ring-buffer: Validate the persistent meta data subbuf array (CVE-2025-21777)
* kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (CVE-2025-21738)
* kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986)
* kernel: padata: avoid UAF for reorder_work (CVE-2025-21726)
* kernel: vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)
* kernel: HID: multitouch: Add NULL check in mt_input_configured (CVE-2024-58020)
* kernel: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition (CVE-2024-57984)
* kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761)
* kernel: sched_ext: Fix incorrect autogroup migration detection (CVE-2025-21771)
* kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981)
* kernel: memcg: fix soft lockup in the OOM process (CVE-2024-57977)
* kernel: vxlan: check vxlan_vnigroup_init() return value (CVE-2025-21790)
* kernel: usbnet: ipheth: fix DPE OoB read (CVE-2025-21741)
* kernel: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785)
* kernel: ipv6: use RCU protection in ip6_default_advmss() (CVE-2025-21765)
* kernel: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() (CVE-2024-58006)
* kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params (CVE-2024-58012)
* kernel: wifi: brcmfmac: Check the return value of of_property_read_string_index() (CVE-2025-21750)
* kernel: wifi: rtlwifi: remove unused check_buddy_priv (CVE-2024-58072)
* kernel: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read (CVE-2024-58069)
* kernel: wifi: mac80211: prohibit deactivating all links (CVE-2024-58061)
* kernel: idpf: convert workqueues to unbound (CVE-2024-58057)
* kernel: wifi: mac80211: don't flush non-uploaded STAs (CVE-2025-21828)
* kernel: netfilter: nf_tables: reject mismatching sum of field_len with set key length (CVE-2025-21826)
* kernel: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback (CVE-2024-58077)
* kernel: crypto: tegra - do not transfer req when tegra init fails (CVE-2024-58075)
* kernel: io_uring/uring_cmd: unconditionally copy SQEs at prep time (CVE-2025-21837)
* kernel: information leak via transient execution vulnerability in some AMD processors (CVE-2024-36350)
* kernel: transient execution vulnerability in some AMD processors (CVE-2024-36357)
* kernel: net/sched: cls_api: fix error handling causing NULL dereference (CVE-2025-21857)
* kernel: bpf: Fix softlockup in arena_map_free on 64k page kernel (CVE-2025-21851)
* kernel: ibmvnic: Don't reference skb after sending to VIOS (CVE-2025-21855)
* kernel: smb: client: Add check for next_buffer in receive_encrypted_standard() (CVE-2025-21844)
* kernel: bpf: avoid holding freeze_mutex during mmap operation (CVE-2025-21853)
* kernel: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (CVE-2025-21847)
* kernel: tcp: drop secpath at the same time as we currently drop dst (CVE-2025-21864)
* kernel: bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088)
* kernel: acct: perform last write from workqueue (CVE-2025-21846)
* kernel: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() (CVE-2025-21861)
* kernel: io_uring: prevent opcode speculation (CVE-2025-21863)
* kernel: fbdev: hyperv_fb: Allow graceful removal of framebuffer (CVE-2025-21976)
* kernel: netfilter: nft_tunnel: fix geneve_opt type confusion addition (CVE-2025-22056)
* kernel: net: ppp: Add bound checking for skb data on ppp_sync_txmung (CVE-2025-37749)
* microcode_ctl: From CVEorg collector (CVE-2024-28956)
* kernel: usb: typec: ucsi: displayport: Fix NULL pointer access (CVE-2025-37994)
* kernel: wifi: ath12k: fix uaf in ath12k_core_init() (CVE-2025-38116)
* kernel: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (CVE-2025-38412)
* kernel: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (CVE-2025-38369)
* kernel: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (CVE-2025-38468)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Rocky Linux 10 Release Notes linked from the References section.