An update for kernel is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2769 Final 1.0 1.0 2025-11-28 Initial 2025-11-28 2025-11-28 openEuler SA Tool V1.0 2025-11-28 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP3 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: drop short frames While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in.(CVE-2023-53321) In the Linux kernel, the following vulnerability has been resolved:ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()There s issue as follows:BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172CPU: 3 PID: 15172 Comm: syz-executor.0Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffAbove issue happens as ext4_xattr_delete_inode() isn t check xattris valid if xattr is in inode.To solve above issue call xattr_check_inode() check if xattr if validin inode. In fact, we can directly verify in ext4_iget_extra_inode(),so that there is no divergent verification.(CVE-2025-22121) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2025-39751) In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.(CVE-2025-40019) In the Linux kernel, a memory leak vulnerability exists. Cilium's BPF egress gateway feature redirects K8s Pod traffic through vxlan tunnels to dedicated egress gateways. When using the bpf_redirect_neigh() helper to forward packets, vxlan allocates metadata_dst objects and attaches them to skb through fake dst entries. However, since bpf_redirect_neigh() only sets new dst entries without first dropping existing ones, the metadata_dst objects are never released, causing continuous increase in kmalloc-256 slab usage.(CVE-2025-40183) In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request(). The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.(CVE-2025-40194) An update for kernel is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-53321 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-22121 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39751 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40019 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40183 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-40194 https://nvd.nist.gov/vuln/detail/CVE-2023-53321 https://nvd.nist.gov/vuln/detail/CVE-2025-22121 https://nvd.nist.gov/vuln/detail/CVE-2025-39751 https://nvd.nist.gov/vuln/detail/CVE-2025-40019 https://nvd.nist.gov/vuln/detail/CVE-2025-40183 https://nvd.nist.gov/vuln/detail/CVE-2025-40194 openEuler-22.03-LTS-SP3 kernel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-debugsource-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-devel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-headers-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-source-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-tools-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-tools-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-tools-devel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm perf-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm python3-perf-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm python3-perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm kernel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-debugsource-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-devel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-headers-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-source-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-tools-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-tools-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-tools-devel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm perf-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm python3-perf-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm python3-perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm kernel-5.10.0-292.0.0.194.oe2203sp3.src.rpm In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: drop short frames While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. 2025-11-28 CVE-2023-53321 openEuler-22.03-LTS-SP3 Medium 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 In the Linux kernel, the following vulnerability has been resolved:ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()There s issue as follows:BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172CPU: 3 PID: 15172 Comm: syz-executor.0Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffAbove issue happens as ext4_xattr_delete_inode() isn t check xattris valid if xattr is in inode.To solve above issue call xattr_check_inode() check if xattr if validin inode. In fact, we can directly verify in ext4_iget_extra_inode(),so that there is no divergent verification. 2025-11-28 CVE-2025-22121 openEuler-22.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. 2025-11-28 CVE-2025-39751 openEuler-22.03-LTS-SP3 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption. 2025-11-28 CVE-2025-40019 openEuler-22.03-LTS-SP3 Medium 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 In the Linux kernel, a memory leak vulnerability exists. Cilium's BPF egress gateway feature redirects K8s Pod traffic through vxlan tunnels to dedicated egress gateways. When using the bpf_redirect_neigh() helper to forward packets, vxlan allocates metadata_dst objects and attaches them to skb through fake dst entries. However, since bpf_redirect_neigh() only sets new dst entries without first dropping existing ones, the metadata_dst objects are never released, causing continuous increase in kmalloc-256 slab usage. 2025-11-28 CVE-2025-40183 openEuler-22.03-LTS-SP3 Medium 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769 In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request(). The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later. 2025-11-28 CVE-2025-40194 openEuler-22.03-LTS-SP3 Medium 5.8 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H kernel security update 2025-11-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769