{"schema_version":"1.7.2","id":"OESA-2025-1876","modified":"2025-07-25T13:15:09Z","published":"2025-07-25T13:15:09Z","upstream":["CVE-2022-49961","CVE-2025-38074","CVE-2025-38079","CVE-2025-38117","CVE-2025-38157","CVE-2025-38298","CVE-2025-38337"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO\n\nPrecision markers need to be propagated whenever we have an ARG_CONST_*\nstyle argument, as the verifier cannot consider imprecise scalars to be\nequivalent for the purposes of states_equal check when such arguments\nrefine the return value (in this case, set mem_size for PTR_TO_MEM). The\nresultant mem_size for the R0 is derived from the constant value, and if\nthe verifier incorrectly prunes states considering them equivalent where\nsuch arguments exist (by seeing that both registers have reg->precise as\nfalse in regsafe), we can end up with invalid programs passing the\nverifier which can do access beyond what should have been the correct\nmem_size in that explored state.\n\nTo show a concrete example of the problem:\n\n0000000000000000 <prog>:\n 0: r2 = *(u32 *)(r1 + 80)\n 1: r1 = *(u32 *)(r1 + 76)\n 2: r3 = r1\n 3: r3 += 4\n 4: if r3 > r2 goto +18 <LBB5_5>\n 5: w2 = 0\n 6: *(u32 *)(r1 + 0) = r2\n 7: r1 = *(u32 *)(r1 + 0)\n 8: r2 = 1\n 9: if w1 == 0 goto +1 <LBB5_3>\n 10: r2 = -1\n\n0000000000000058 <LBB5_3>:\n 11: r1 = 0 ll\n 13: r3 = 0\n 14: call bpf_ringbuf_reserve\n 15: if r0 == 0 goto +7 <LBB5_5>\n 16: r1 = r0\n 17: r1 += 16777215\n 18: w2 = 0\n 19: *(u8 *)(r1 + 0) = r2\n 20: r1 = r0\n 21: r2 = 0\n 22: call bpf_ringbuf_submit\n\n00000000000000b8 <LBB5_5>:\n 23: w0 = 0\n 24: exit\n\nFor the first case, the single line execution's exploration will prune\nthe search at insn 14 for the branch insn 9's second leg as it will be\nverified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will\nalways be 0 so at runtime we don't get error for being greater than\nUINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just\nsees reg->precise as false for both r2 registers in both states, hence\nconsiders them equal for purposes of states_equal.\n\nIf we propagated precise markers using the backtracking support, we\nwould use the precise marking to then ensure that old r2 (UINT_MAX) was\nwithin the new r2 (1) and this would never be true, so the verification\nwould rightfully fail.\n\nThe end result is that the out of bounds access at instruction 19 would\nbe permitted without this fix.\n\nNote that reg->precise is always set to true when user does not have\nCAP_BPF (or when subprog count is greater than 1 (i.e. use of any static\nor global functions)), hence this is only a problem when precision marks\nneed to be explicitly propagated (i.e. privileged users with CAP_BPF).\n\nA simplified test case has been included in the next patch to prevent\nfuture regressions.(CVE-2022-49961)\n\nLinux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States.\n There is a security vulnerability in Linux kernel, which originates from vq->log_used not protected by vq->mutex, which may result in invalid memory writes.(CVE-2025-38074)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error.(CVE-2025-38079)\n\nA vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.6.93/6.12.33/6.15.2/6.16-rc1 (Operating System).Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Impacted is confidentiality, integrity, and availability.Upgrading to version 6.6.94, 6.12.34, 6.15.3 or 6.16-rc2 eliminates this vulnerability. Applying the patch bdd56875c6926d8009914f427df71797693e90d4/4e83f2dbb2bf677e614109df24426c4dded472d4/d7882db79135c829a922daf3571f33ea1e056ae3/6fe26f694c824b8a4dbf50c635bee1302e3f099c is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38117)\n\nA vulnerability has been found in Linux Kernel up to 6.15.2 (Operating System) and classified as problematic.The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch e5ce9df1d68094d37360dbd9b09289d42fa21e54/7ee3fb6258da8c890a51b514f60d7570dc703605/40471b23147c86ea3ed97faee79937c618250bd0/5482ef9875eaa43f0435e14570e1193823de857e/ee5ee646385f5846dcbc881389f3c44a197c402a/5a85c21f812e02cb00ca07007d88acdd42d08c46/ac4e317a95a1092b5da5b9918b7118759342641c is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-19787).(CVE-2025-38157)\n\nA vulnerability, which was classified as problematic, was found in Linux Kernel up to 32700ecf8007e071d1ce4c78f65b85f46d05f32a (Operating System).The manipulation of the argument adxl_component_count with an unknown input leads to a unknown weakness. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer.This is going to have an impact on confidentiality.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3 or 6.16-rc1 eliminates this vulnerability. Applying the patch 80bf28fd623d97dd4f4825fbbe9d736cec2afba3/a6ed3a6edff09c1187cc6ade7f5967bca2376a13/bf6a8502a5f4ff6e4d135d795945cdade49ec8b0/e8530ed3c0769a4d8f79c212715ec1cf277787f8/3f5d0659000923735350da60ad710f8c804544fe/a13e8343ffcff27af1ff79597ff7ba241e6d9471/31ef6f7c9aee3be78d63789653e92350f2537f93/20d2d476b3ae18041be423671a8637ed5ffd6958 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38298)\n\nA vulnerability classified as critical was found in Linux Kernel up to 6.15.3 (Operating System).The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.As an impact it is known to affect availability.Upgrading to version 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.95, 6.12.35, 6.15.4 or 6.16-rc1 eliminates this vulnerability. Applying the patch 5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5/ec669e5bf409f16e464bfad75f0ba039a45de29a/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e/23361b479f2700c00960d3ae9cdc8ededa762d47/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a/f78b38af3540b4875147b7b884ee11a27b3dbf4c/a377996d714afb8d4d5f4906336f78510039da29/af98b0157adf6504fade79b3e6cb260c4ff68e37 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-38337)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-274.0.0.176.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","perf-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-274.0.0.176.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-274.0.0.176.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","perf-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-274.0.0.176.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1876"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49961"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38074"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38079"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38117"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38157"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38298"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38337"}],"database_specific":{"severity":"High"}}