{"schema_version":"1.7.2","id":"OESA-2025-1727","modified":"2025-07-04T14:43:10Z","published":"2025-07-04T14:43:10Z","upstream":["CVE-2022-50057","CVE-2022-50167","CVE-2022-50230","CVE-2024-26798","CVE-2025-21927","CVE-2025-22026","CVE-2025-38031","CVE-2025-38078"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL deref in ntfs_update_mftmirr\n\nIf ntfs_fill_super() wasn\u0026apos;t called then sbi-\u0026gt;sb will be equal to NULL.\nCode should check this ptr before dereferencing. Syzbot hit this issue\nvia passing wrong mount param as can be seen from log below\n\nFail log:\nntfs3: Unknown parameter \u0026apos;iochvrset\u0026apos;\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\nCPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0\n...\nCall Trace:\n \u0026lt;TASK\u0026gt;\n put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463\n ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363\n put_fs_context+0x119/0x7a0 fs/fs_context.c:469\n do_new_mount+0x2b4/0xad0 fs/namespace.c:3044\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline](CVE-2022-50057)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix potential 32-bit overflow when accessing ARRAY map element\n\nIf BPF array map is bigger than 4GB, element pointer calculation can\noverflow because both index and elem_size are u32. Fix this everywhere\nby forcing 64-bit multiplication. Extract this formula into separate\nsmall helper and use it consistently in various places.\n\nSpeculative-preventing formula utilizing index_mask trick is left as is,\nbut explicit u64 casts are added in both places.(CVE-2022-50167)\n\nLinux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States.\n There is a security vulnerability in Linux kernel. This vulnerability originates from arm64 not setting UXN in swapper page table, which may cause access to be denied.(CVE-2022-50230)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\u0026quot;system\u0026quot;/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It\u0026apos;s rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n  BUG: unable to handle page fault for address: fffffffffffffff8\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n  Oops: 0000 [#1] PREEMPT SMP KASAN\n  CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n  Call Trace:\n   \u0026lt;TASK\u0026gt;\n   con_font_get drivers/tty/vt/vt.c:4558 [inline]\n   con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n   vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n   vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n   tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n   vfs_ioctl fs/ioctl.c:51 [inline]\n  ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater \u0026apos;if\u0026apos; is now protected by \u0026apos;old_userfont\u0026apos; and not \u0026apos;old_data\u0026apos; as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)(CVE-2024-26798)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()\n\nnvme_tcp_recv_pdu() doesn\u0026apos;t check the validity of the header length.\nWhen header digests are enabled, a target might send a packet with an\ninvalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()\nto access memory outside the allocated area and cause memory corruptions\nby overwriting it with the calculated digest.\n\nFix this by rejecting packets with an unexpected header length.(CVE-2025-21927)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: don\u0026apos;t ignore the return code of svc_proc_register()\n\nCurrently, nfsd_proc_stat_init() ignores the return value of\nsvc_proc_register(). If the procfile creation fails, then the kernel\nwill WARN when it tries to remove the entry later.\n\nFix nfsd_proc_stat_init() to return the same type of pointer as\nsvc_proc_register(), and fix up nfsd_net_init() to check that and fail\nthe nfsd_net construction if it occurs.\n\nsvc_proc_register() can fail if the dentry can\u0026apos;t be allocated, or if an\nidentical dentry already exists. The second case is pretty unlikely in\nthe nfsd_net construction codepath, so if this happens, return -ENOMEM.(CVE-2025-22026)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \u0026quot;cryptomgr_probe\u0026quot;, pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30(CVE-2025-38031)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix race of buffer access at PCM OSS layer\n\nThe PCM OSS layer tries to clear the buffer with the silence data at\ninitialization (or reconfiguration) of a stream with the explicit call\nof snd_pcm_format_set_silence() with runtime-\u0026gt;dma_area.  But this may\nlead to a UAF because the accessed runtime-\u0026gt;dma_area might be freed\nconcurrently, as it\u0026apos;s performed outside the PCM ops.\n\nFor avoiding it, move the code into the PCM core and perform it inside\nthe buffer access lock, so that it won\u0026apos;t be changed during the\noperation.(CVE-2025-38078)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-270.0.0.172.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","perf-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-270.0.0.172.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-270.0.0.172.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","perf-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-270.0.0.172.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1727"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50057"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50167"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50230"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26798"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21927"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22026"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38031"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38078"}],"database_specific":{"severity":"High"}}