An update for kernel is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2059 Final 1.0 1.0 2025-08-22 Initial 2025-08-22 2025-08-22 openEuler SA Tool V1.0 2025-08-22 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: powerpc/xive/spapr: correct bitmap allocation size kasan detects access beyond the end of the xibm->bitmap allocation: BUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140 Read of size 8 at addr c00000001d1d0118 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28 Call Trace: [c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable) [c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710 [c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354 [c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0 [c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140 [c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260 [c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450 [c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118 [c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac [c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640 [c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0 [c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64 Allocated by task 0: kasan_save_stack+0x34/0x70 __kasan_kmalloc+0xb4/0xf0 __kmalloc+0x268/0x540 xive_spapr_init+0x4d0/0x77c pseries_init_irq+0x40/0x27c init_IRQ+0x44/0x84 start_kernel+0x2a4/0x538 start_here_common+0x1c/0x20 The buggy address belongs to the object at c00000001d1d0118 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of 8-byte region [c00000001d1d0118, c00000001d1d0120) The buggy address belongs to the physical page: page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff) raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480 raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc ^ c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc This happens because the allocation uses the wrong unit (bits) when it should pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small numbers of bits, the allocated object can be smaller than sizeof(long), which results in invalid accesses. Use bitmap_zalloc() to allocate and initialize the irq bitmap, paired with bitmap_free() for consistency.(CVE-2022-49623) In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface.(CVE-2025-37796) In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().(CVE-2025-37798) In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/(CVE-2025-37913) In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF.(CVE-2025-38180) A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch d3ed1d84a84538a39b3eb2055d6a97a936c108f2/fcda39a9c5b834346088c14b1374336b079466c1/a262370f385e53ff7470efdcdaf40468e5756717/a47d9d9895bad9ce0e840a39836f19ca0b2a343a/4f15ee98304b96e164ff2340e1dfd6181c3f42aa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38495) A vulnerability classified as problematic was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7/955e8835855fed8e87f7d8c8075564a1746c1b4c/e0f3c0867d7d231c70984f05c97752caacd0daba/43ddd82e6a91913cea1c078e782afd8de60c3a53/66acb1586737a22dd7b78abc63213b1bcaa100e4 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38529) An update for kernel is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-49623 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-37796 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-37798 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-37913 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-38180 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-38495 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-38529 https://nvd.nist.gov/vuln/detail/CVE-2022-49623 https://nvd.nist.gov/vuln/detail/CVE-2025-37796 https://nvd.nist.gov/vuln/detail/CVE-2025-37798 https://nvd.nist.gov/vuln/detail/CVE-2025-37913 https://nvd.nist.gov/vuln/detail/CVE-2025-38180 https://nvd.nist.gov/vuln/detail/CVE-2025-38495 https://nvd.nist.gov/vuln/detail/CVE-2025-38529 openEuler-22.03-LTS-SP4 bpftool-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm bpftool-debuginfo-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-debuginfo-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-debugsource-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-devel-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-headers-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-source-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-tools-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-tools-debuginfo-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm kernel-tools-devel-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm perf-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm perf-debuginfo-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm python3-perf-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm python3-perf-debuginfo-5.10.0-278.0.0.181.oe2203sp4.aarch64.rpm bpftool-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm bpftool-debuginfo-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-debuginfo-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-debugsource-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-devel-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-headers-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-source-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-tools-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-tools-debuginfo-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-tools-devel-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm perf-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm perf-debuginfo-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm python3-perf-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm python3-perf-debuginfo-5.10.0-278.0.0.181.oe2203sp4.x86_64.rpm kernel-5.10.0-278.0.0.181.oe2203sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: powerpc/xive/spapr: correct bitmap allocation size kasan detects access beyond the end of the xibm->bitmap allocation: BUG: KASAN: slab-out-of-bounds in _find_first_zero_bit+0x40/0x140 Read of size 8 at addr c00000001d1d0118 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-rc2-00001-g90df023b36dd #28 Call Trace: [c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable) [c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710 [c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354 [c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0 [c00000001d98f970] [c0000000011c6ed0] _find_first_zero_bit+0x40/0x140 [c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260 [c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450 [c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118 [c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac [c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640 [c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0 [c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64 Allocated by task 0: kasan_save_stack+0x34/0x70 __kasan_kmalloc+0xb4/0xf0 __kmalloc+0x268/0x540 xive_spapr_init+0x4d0/0x77c pseries_init_irq+0x40/0x27c init_IRQ+0x44/0x84 start_kernel+0x2a4/0x538 start_here_common+0x1c/0x20 The buggy address belongs to the object at c00000001d1d0118 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of 8-byte region [c00000001d1d0118, c00000001d1d0120) The buggy address belongs to the physical page: page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff) raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480 raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc ^ c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc This happens because the allocation uses the wrong unit (bits) when it should pass (BITS_TO_LONGS(count) * sizeof(long)) or equivalent. With small numbers of bits, the allocated object can be smaller than sizeof(long), which results in invalid accesses. Use bitmap_zalloc() to allocate and initialize the irq bitmap, paired with bitmap_free() for consistency. 2025-08-22 CVE-2022-49623 openEuler-22.03-LTS-SP4 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface. 2025-08-22 CVE-2025-37796 openEuler-22.03-LTS-SP4 High 8.0 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). 2025-08-22 CVE-2025-37798 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ 2025-08-22 CVE-2025-37913 openEuler-22.03-LTS-SP4 High 8.0 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. 2025-08-22 CVE-2025-38180 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch d3ed1d84a84538a39b3eb2055d6a97a936c108f2/fcda39a9c5b834346088c14b1374336b079466c1/a262370f385e53ff7470efdcdaf40468e5756717/a47d9d9895bad9ce0e840a39836f19ca0b2a343a/4f15ee98304b96e164ff2340e1dfd6181c3f42aa is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. 2025-08-22 CVE-2025-38495 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059 A vulnerability classified as problematic was found in Linux Kernel up to 6.1.146/6.6.99/6.12.39/6.15.7 (Operating System).The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality.Upgrading to version 6.1.147, 6.6.100, 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch ff30dd3f15f443d2a0085b12ec2cc95d44f35fa7/955e8835855fed8e87f7d8c8075564a1746c1b4c/e0f3c0867d7d231c70984f05c97752caacd0daba/43ddd82e6a91913cea1c078e782afd8de60c3a53/66acb1586737a22dd7b78abc63213b1bcaa100e4 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. 2025-08-22 CVE-2025-38529 openEuler-22.03-LTS-SP4 Low 3.9 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L kernel security update 2025-08-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2059