An update for kernel is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2632 Final 1.0 1.0 2025-11-07 Initial 2025-11-07 2025-11-07 openEuler SA Tool V1.0 2025-11-07 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: SUNRPC: make sure cache entry active before cache_show The function `c_show` was called with protection from RCU. This only ensures that `cp` will not be freed. Therefore, the reference count for `cp` can drop to zero, which will trigger a refcount use-after-free warning when `cache_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `cp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 822 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 Call Trace: <TASK> c_show+0x2fc/0x380 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e(CVE-2024-53174) In the Linux kernel, the following vulnerability has been resolved:dm array: fix releasing a faulty array block twice in dm_array_cursor_endWhen dm_bm_read_lock() fails due to locking or checksum errors, itreleases the faulty block implicitly while leaving an invalid outputpointer behind. The caller of dm_bm_read_lock() should not operate onthis invalid dm_block pointer, or it will lead to undefined result.For example, the dm_array_cursor incorrectly caches the invalid pointeron reading a faulty array block, causing a double release indm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().Reproduce steps:1. initialize a cache devicedmsetup create cmeta --table 0 8192 linear /dev/sdc 0 dmsetup create cdata --table 0 65536 linear /dev/sdc 8192 dmsetup create corig --table 0 524288 linear /dev/sdc $262144 dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1dmsetup create cache --table 0 524288 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0 2. wipe the second array block offlinedmsteup remove cache cmeta cdata corigmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 2>/dev/null | hexdump -e 1/8 %u n )ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) 2>/dev/null | hexdump -e 1/8 %u n )dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock3. try reopen the cache devicedmsetup create cmeta --table 0 8192 linear /dev/sdc 0 dmsetup create cdata --table 0 65536 linear /dev/sdc 8192 dmsetup create corig --table 0 524288 linear /dev/sdc $262144 dmsetup create cache --table 0 524288 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0 Kernel logs:(snip)device-mapper: array: array_block_check failed: blocknr 0 != wanted 10device-mapper: block manager: array validator check failed for block 10device-mapper: array: get_ablock faileddevice-mapper: cache metadata: dm_array_cursor_next for mapping failed------------[ cut here ]------------kernel BUG at drivers/md/dm-bufio.c:638!Fix by setting the cached block pointer to NULL on errors.In addition to the reproducer described above, this fix can beverified using the array_cursor/damaged test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR>(CVE-2024-57929) In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [(CVE-2025-39725) In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a multiple of 32.(CVE-2025-39973) In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2025-39993) In the Linux kernel, the following vulnerability has been resolved:tracing: dynevent: Add a missing lockdown check on dyneventSince dynamic_events interface on tracefs is compatible withkprobe_events and uprobe_events, it should also check the lockdownstatus and reject if it is set.(CVE-2025-40021) There is a critical race condition in kprobe initialization in the Linux kernel that can lead to NULL pointer dereference and kernel crash.Vulnerability Analysis:The race condition occurs between kprobe activation and perf_events initialization. When CPU0 executes kprobe initialization and enables kprobe functionality, CPU1 may trigger a debug exception during this period and attempt to access the perf_events pointer that has not been initialized yet, resulting in NULL pointer dereference.Technical Details:In kernel/trace/trace_kprobe.c at line 1308, the kprobe_perf_func function attempts to access the call->perf_events pointer, but due to the race condition, this pointer may not have been properly initialized.(CVE-2025-40042) In the Linux kernel, a vulnerability exists in the UDF filesystem's handling of Allocation Extent Descriptors. When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. This vulnerability was found by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2025-40044) In the Linux kernel, an integer overflow vulnerability exists in the arm_spe component of the perf subsystem. The PERF_IDX2OFF() function does not properly cast to unsigned long when handling large AUX buffer sizes (>= 2 GiB), which may lead to integer overflow.(CVE-2025-40081) An update for kernel is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53174 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-57929 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39725 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39973 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39993 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40021 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40042 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40044 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40081 https://nvd.nist.gov/vuln/detail/CVE-2024-53174 https://nvd.nist.gov/vuln/detail/CVE-2024-57929 https://nvd.nist.gov/vuln/detail/CVE-2025-39725 https://nvd.nist.gov/vuln/detail/CVE-2025-39973 https://nvd.nist.gov/vuln/detail/CVE-2025-39993 https://nvd.nist.gov/vuln/detail/CVE-2025-40021 https://nvd.nist.gov/vuln/detail/CVE-2025-40042 https://nvd.nist.gov/vuln/detail/CVE-2025-40044 https://nvd.nist.gov/vuln/detail/CVE-2025-40081 openEuler-22.03-LTS-SP4 bpftool-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm bpftool-debuginfo-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-debuginfo-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-debugsource-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-devel-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-headers-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-source-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-tools-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-tools-debuginfo-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm kernel-tools-devel-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm perf-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm perf-debuginfo-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm python3-perf-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm python3-perf-debuginfo-5.10.0-288.0.0.191.oe2203sp4.aarch64.rpm bpftool-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm bpftool-debuginfo-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-debuginfo-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-debugsource-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-devel-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-headers-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-source-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-tools-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-tools-debuginfo-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-tools-devel-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm perf-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm perf-debuginfo-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm python3-perf-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm python3-perf-debuginfo-5.10.0-288.0.0.191.oe2203sp4.x86_64.rpm kernel-5.10.0-288.0.0.191.oe2203sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: SUNRPC: make sure cache entry active before cache_show The function `c_show` was called with protection from RCU. This only ensures that `cp` will not be freed. Therefore, the reference count for `cp` can drop to zero, which will trigger a refcount use-after-free warning when `cache_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `cp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 822 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 Call Trace: <TASK> c_show+0x2fc/0x380 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2025-11-07 CVE-2024-53174 openEuler-22.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, the following vulnerability has been resolved:dm array: fix releasing a faulty array block twice in dm_array_cursor_endWhen dm_bm_read_lock() fails due to locking or checksum errors, itreleases the faulty block implicitly while leaving an invalid outputpointer behind. The caller of dm_bm_read_lock() should not operate onthis invalid dm_block pointer, or it will lead to undefined result.For example, the dm_array_cursor incorrectly caches the invalid pointeron reading a faulty array block, causing a double release indm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put().Reproduce steps:1. initialize a cache devicedmsetup create cmeta --table 0 8192 linear /dev/sdc 0 dmsetup create cdata --table 0 65536 linear /dev/sdc 8192 dmsetup create corig --table 0 524288 linear /dev/sdc $262144 dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1dmsetup create cache --table 0 524288 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0 2. wipe the second array block offlinedmsteup remove cache cmeta cdata corigmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 2>/dev/null | hexdump -e 1/8 %u n )ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) 2>/dev/null | hexdump -e 1/8 %u n )dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock3. try reopen the cache devicedmsetup create cmeta --table 0 8192 linear /dev/sdc 0 dmsetup create cdata --table 0 65536 linear /dev/sdc 8192 dmsetup create corig --table 0 524288 linear /dev/sdc $262144 dmsetup create cache --table 0 524288 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0 Kernel logs:(snip)device-mapper: array: array_block_check failed: blocknr 0 != wanted 10device-mapper: block manager: array validator check failed for block 10device-mapper: array: get_ablock faileddevice-mapper: cache metadata: dm_array_cursor_next for mapping failed------------[ cut here ]------------kernel BUG at drivers/md/dm-bufio.c:638!Fix by setting the cached block pointer to NULL on errors.In addition to the reproducer described above, this fix can beverified using the array_cursor/damaged test in dm-unit: dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR> 2025-11-07 CVE-2024-57929 openEuler-22.03-LTS-SP4 Medium 6.0 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [ 2025-11-07 CVE-2025-39725 openEuler-22.03-LTS-SP4 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a multiple of 32. 2025-11-07 CVE-2025-39973 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2025-11-07 CVE-2025-39993 openEuler-22.03-LTS-SP4 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, the following vulnerability has been resolved:tracing: dynevent: Add a missing lockdown check on dyneventSince dynamic_events interface on tracefs is compatible withkprobe_events and uprobe_events, it should also check the lockdownstatus and reject if it is set. 2025-11-07 CVE-2025-40021 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 There is a critical race condition in kprobe initialization in the Linux kernel that can lead to NULL pointer dereference and kernel crash.Vulnerability Analysis:The race condition occurs between kprobe activation and perf_events initialization. When CPU0 executes kprobe initialization and enables kprobe functionality, CPU1 may trigger a debug exception during this period and attempt to access the perf_events pointer that has not been initialized yet, resulting in NULL pointer dereference.Technical Details:In kernel/trace/trace_kprobe.c at line 1308, the kprobe_perf_func function attempts to access the call->perf_events pointer, but due to the race condition, this pointer may not have been properly initialized. 2025-11-07 CVE-2025-40042 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, a vulnerability exists in the UDF filesystem's handling of Allocation Extent Descriptors. When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. This vulnerability was found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2025-11-07 CVE-2025-40044 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632 In the Linux kernel, an integer overflow vulnerability exists in the arm_spe component of the perf subsystem. The PERF_IDX2OFF() function does not properly cast to unsigned long when handling large AUX buffer sizes (>= 2 GiB), which may lead to integer overflow. 2025-11-07 CVE-2025-40081 openEuler-22.03-LTS-SP4 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2632