An update for kernel is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2006 Final 1.0 1.0 2025-08-15 Initial 2025-08-15 2025-08-15 openEuler SA Tool V1.0 2025-08-15 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization.(CVE-2025-21920) In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment.(CVE-2025-21926) In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free.(CVE-2025-22004) In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.(CVE-2025-38352) An update for kernel is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2006 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-21920 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-21926 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-22004 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-38352 https://nvd.nist.gov/vuln/detail/CVE-2025-21920 https://nvd.nist.gov/vuln/detail/CVE-2025-21926 https://nvd.nist.gov/vuln/detail/CVE-2025-22004 https://nvd.nist.gov/vuln/detail/CVE-2025-38352 openEuler-22.03-LTS-SP4 bpftool-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm bpftool-debuginfo-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-debuginfo-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-debugsource-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-devel-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-headers-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-source-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-tools-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-tools-debuginfo-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm kernel-tools-devel-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm perf-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm perf-debuginfo-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm python3-perf-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm python3-perf-debuginfo-5.10.0-277.0.0.180.oe2203sp4.aarch64.rpm bpftool-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm bpftool-debuginfo-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-debuginfo-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-debugsource-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-devel-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-headers-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-source-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-tools-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-tools-debuginfo-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-tools-devel-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm perf-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm perf-debuginfo-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm python3-perf-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm python3-perf-debuginfo-5.10.0-277.0.0.180.oe2203sp4.x86_64.rpm kernel-5.10.0-277.0.0.180.oe2203sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. 2025-08-15 CVE-2025-21920 openEuler-22.03-LTS-SP4 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2025-08-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2006 In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment. 2025-08-15 CVE-2025-21926 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-08-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2006 In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. 2025-08-15 CVE-2025-22004 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2006 In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. 2025-08-15 CVE-2025-38352 openEuler-22.03-LTS-SP4 Medium 4.6 AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L kernel security update 2025-08-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2006