{"schema_version":"1.7.2","id":"OESA-2025-2554","modified":"2025-10-31T14:12:27Z","published":"2025-10-31T14:12:27Z","upstream":["CVE-2022-50306","CVE-2023-4244","CVE-2023-53454","CVE-2023-53615","CVE-2023-53675","CVE-2023-53711","CVE-2023-53722","CVE-2023-53728","CVE-2024-50210","CVE-2024-53168","CVE-2024-53214","CVE-2024-56602","CVE-2024-56616","CVE-2024-57904","CVE-2024-57906","CVE-2024-57931","CVE-2024-58052","CVE-2024-58093","CVE-2024-58237","CVE-2025-21665","CVE-2025-21772","CVE-2025-21802","CVE-2025-23142","CVE-2025-37823","CVE-2025-37915","CVE-2025-37992","CVE-2025-38724","CVE-2025-39898","CVE-2025-39971","CVE-2025-39998"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential out of bound read in ext4_fc_replay_scan()\n\nFor scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain\nspace less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read\nwhen mounting corrupt file system image.\nADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this\nthree tags will read data during scan, tag length couldn't less than data length\nwhich will read.(CVE-2022-50306)\n\nA use-after-free vulnerability in the Linux kernel s netfilter: nf_tables component can be exploited to achieve local privilege escalation.Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.(CVE-2023-4244)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string.(CVE-2023-53454)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix deletion race condition\n\nSystem crash when using debug kernel due to link list corruption. The cause\nof the link list corruption is due to session deletion was allowed to queue\nup twice.  Here's the internal trace that show the same port was allowed to\ndouble queue for deletion on different cpu.\n\n20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n\nMove the clearing/setting of deleted flag lock.(CVE-2023-53615)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix possible desc_ptr out-of-bounds accesses\n\nSanitize possible desc_ptr out-of-bounds accesses in\nses_enclosure_data_process().(CVE-2023-53675)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a potential data corruption\n\nWe must ensure that the subrequests are joined back into the head before we can retransmit a request. If the head was not on the commit lists, because the server wrote it synchronously, we still need to add it back to the retransmission list.\nAdd a call that mirrors the effect of nfs_cancel_remove_inode() for O_DIRECT.(CVE-2023-53711)\n\nIn the Linux kernel, the following vulnerability has been resolved: md: raid1: fix potential OOB in raid1_remove_disk(). If rddev->raid_disk is greater than mddev->raid_disks, there will be an out-of-bounds in raid1_remove_disk(). We have already found similar reports as follows: 1) commit d17f744e883b ("md-raid10: fix KASAN warning") 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk"). Fix this bug by checking whether the "number" variable is valid.(CVE-2023-53722)\n\nIn the Linux kernel, the following vulnerability has been resolved:posix-timers: Ensure timer ID search-loop limit is validposix_timer_add() tries to allocate a posix timer ID by starting from thecached ID which was stored by the last successful allocation.This is done in a loop searching the ID space for a free slot one byone. The loop has to terminate when the search wrapped around to thestarting point.But that s racy vs. establishing the starting point. That is read outlockless, which leads to the following problem:CPU0                    CPU1posix_timer_add()  start = sig->posix_timer_id;  lock(hash_lock);  ...       posix_timer_add()  if (++sig->posix_timer_id < 0)                      start = sig->posix_timer_id;     sig->posix_timer_id = 0;So CPU1 can observe a negative start value, i.e. -1, and the loop breaknever happens because the condition can never be true:  if (sig->posix_timer_id == start)     break;While this is unlikely to ever turn into an endless loop as the ID space ishuge (INT_MAX), the racy read of the start value caught the attention ofKCSAN and Dmitry unearthed that incorrectness.Rewrite it so that all id operations are under the hash lock.(CVE-2023-53728)\n\nIn the Linux kernel, the following vulnerability has been resolved:posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()If get_clock_desc() succeeds, it calls fget() for the clockid s fd,and get the clk->rwsem read lock, so the error path should releasethe lock to make the lock balance and fput the clockid s fd to makethe refcount balance and release the fd related resource.However the below commit left the error path locked behind resulting inunbalanced locking. Check timespec64_valid_strict() beforeget_clock_desc() to fix it, because the  ts  is not changedafter that.[pabeni@redhat.com: fixed commit message typo](CVE-2024-50210)\n\nIn the Linux kernel, the following vulnerability has been resolved:sunrpc: fix one UAF issue caused by sunrpc kernel tcp socketBUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0Read of size 1 at addr ffff888111f322cd by task swapper/0/0CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1Call Trace: <IRQ> dump_stack_lvl+0x68/0xa0 print_address_description.constprop.0+0x2c/0x3d0 print_report+0xb4/0x270 kasan_report+0xbd/0xf0 tcp_write_timer_handler+0x156/0x3e0 tcp_write_timer+0x66/0x170 call_timer_fn+0xfb/0x1d0 __run_timers+0x3f8/0x480 run_timer_softirq+0x9b/0x100 handle_softirqs+0x153/0x390 __irq_exit_rcu+0x103/0x120 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20RIP: 0010:default_idle+0xf/0x20Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590fRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835dR10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0 default_idle_call+0x6b/0xa0 cpuidle_idle_call+0x1af/0x1f0 do_idle+0xbc/0x130 cpu_startup_entry+0x33/0x40 rest_init+0x11f/0x210 start_kernel+0x39a/0x420 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x97/0xa0 common_startup_64+0x13e/0x141 </TASK>Allocated by task 595: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x87/0x90 kmem_cache_alloc_noprof+0x12b/0x3f0 copy_net_ns+0x94/0x380 create_new_namespaces+0x24c/0x500 unshare_nsproxy_namespaces+0x75/0xf0 ksys_unshare+0x24e/0x4f0 __x64_sys_unshare+0x1f/0x30 do_syscall_64+0x70/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7eFreed by task 100: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x54/0x70 kmem_cache_free+0x156/0x5d0 cleanup_net+0x5d3/0x670 process_one_work+0x776/0xa90 worker_thread+0x2e2/0x560 kthread+0x1a8/0x1f0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30Reproduction script:mkdir -p /mnt/nfssharemkdir -p /mnt/nfs/netns_1mkfs.ext4 /dev/sdbmount /dev/sdb /mnt/nfssharesystemctl restart nfs-serverchmod 777 /mnt/nfsshareexportfs -i -o rw,no_root_squash *:/mnt/nfsshareip netns add netns_1ip link add name veth_1_peer type veth peer veth_1ifconfig veth_1_peer 11.11.0.254 upip link set veth_1 netns netns_1ip netns exec netns_1 ifconfig veth_1 11.11.0.1ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp   --tcp-flags FIN FIN  -j DROP(note: In my environment, a DESTROY_CLIENTID operation is always sent immediately, breaking the nfs tcp connection.)ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1   11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1ip netns del netns_1The reason here is that the tcp socket in netns_1 (nfs side) has beenshutdown and closed (done in xs_destroy), but the FIN message (with ack)is discarded, and the nfsd side keeps sending retransmission messages.As a result, when the tcp sock in netns_1 processes the received message,it sends the message (FIN message) in the sending queue, and the tcp timeris re-established. When the network namespace is deleted, the net structureaccessed by tcp s timer handler function causes problems.To fix this problem, let s hold netns refcnt for the tcp kernel socket asdone in other modules. This is an ugly hack which can easily be backportedto earlier kernels. A proper fix which cleans up the interfaces willfollow, but may not be so easy to backport.(CVE-2024-53168)\n\nIn the Linux kernel, the following vulnerability has been resolved:vfio/pci: Properly hide first-in-list PCIe extended capabilityThere are cases where a PCIe extended capability should be hidden fromthe user. For example, an unknown capability (i.e., capability with IDgreater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionallychosen to be hidden from the user.Hiding a capability is done by virtualizing and modifying the  NextCapability Offset  field of the previous capability so it points to thecapability after the one that should be hidden.The special case where the first capability in the list should be hiddenis handled differently because there is no previous capability that canbe modified. In this case, the capability ID and version are zeroedwhile leaving the next pointer intact. This hides the capability andleaves an anchor for the rest of the capability list.However, today, hiding the first capability in the list is not doneproperly if the capability is unknown, as structvfio_pci_core_device->pci_config_map is set to the capability ID duringinitialization but the capability ID is not properly checked later whenused in vfio_config_do_rw(). This leads to the following warning [1] andto an out-of-bounds access to ecap_perms array.Fix it by checking cap_id in vfio_config_do_rw(), and if it is greaterthan PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for directread only access instead of the ecap_perms array.Note that this is safe since the above is the only case where cap_id canexceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, whichare already checked before).[1]WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1(snip)Call Trace: <TASK> ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e(CVE-2024-53214)\n\nIn the Linux kernel, the following vulnerability has been resolved:net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()sock_init_data() attaches the allocated sk object to the provided sockobject. If ieee802154_create() fails later, the allocated sk object isfreed, but the dangling pointer remains in the provided sock object, whichmay allow use-after-free.Clear the sk pointer in the sock object on error.(CVE-2024-56602)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm/dp_mst: Fix MST sideband message body length checkFix the MST sideband message body length check, which must be at least 1byte accounting for the message body CRC (aka message data CRC) at theend of the message.This fixes a case where an MST branch device returns a header with acorrect header CRC (indicating a correctly received body length), withthe body length being incorrectly set to 0. This will later lead to amemory corruption in drm_dp_sideband_append_payload() and the followingerrors in dmesg:   UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25   index -1 is out of range for type  u8 [48]    Call Trace:    drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper]    drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]    drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]   memcpy: detected field-spanning write (size 18446744073709551615) of single field  &msg->msg[msg->curlen]  at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256)   Call Trace:    drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper]    drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]    drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper](CVE-2024-56616)\n\nIn the Linux kernel, the following vulnerability has been resolved:iio: adc: at91: call input_free_device() on allocated iio_devCurrent implementation of at91_ts_register() calls input_free_deivce()on st->ts_input, however, the err label can be reached before theallocated iio_dev is stored to st->ts_input. Thus callinput_free_device() on input instead of st->ts_input.(CVE-2024-57904)\n\nIn the Linux kernel, the following vulnerability has been resolved:iio: adc: ti-ads8688: fix information leak in triggered bufferThe  buffer  local array is used to push data to user space from atriggered buffer, but it does not set values for inactive channels, asit only uses iio_for_each_active_channel() to assign new values.Initialize the array to zero before using it to avoid pushinguninitialized information to userspace.(CVE-2024-57906)\n\nIn the Linux kernel, the following vulnerability has been resolved:selinux: ignore unknown extended permissionsWhen evaluating extended permissions, ignore unknown permissions insteadof calling BUG(). This commit ensures that future permissions can beadded without interfering with older kernels.(CVE-2024-57931)\n\nIn the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_tableThe function atomctrl_get_smc_sclk_range_table() does not check the returnvalue of smu_atom_get_data_table(). If smu_atom_get_data_table() fails toretrieve SMU_Info table, it returns NULL which is later dereferenced.Found by Linux Verification Center (linuxtesting.org) with SVACE.In practice this should never happen as this code only gets calledon polaris chips and the vbios data table will always be present onthose chips.(CVE-2024-58052)\n\nIn the Linux kernel, the following vulnerability has been resolved:PCI/ASPM: Fix link state exit during switch upstream function removalBefore 456d8aa37d0f ( PCI/ASPM: Disable ASPM on MFD function removal toavoid use-after-free ), we would free the ASPM link only after the lastfunction on the bus pertaining to the given link was removed.That was too late. If function 0 is removed before sibling function,link->downstream would point to free d memory after.After above change, we freed the ASPM parent link state upon any functionremoval on the bus pertaining to a given link.That is too early. If the link is to a PCIe switch with MFD on the upstreamport, then removing functions other than 0 first would free a link whichstill remains parent_link to the remaining downstream ports.The resulting GPFs are especially frequent during hot-unplug, becausepciehp removes devices on the link bus in reverse order.On that switch, function 0 is the virtual P2P bridge to the internal bus.Free exactly when function 0 is removed -- before the parent link isobsolete, but after all subordinate links are gone.[kwilczynski: commit log](CVE-2024-58093)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: consider that tail calls invalidate packet pointers\n\nTail-called programs could execute any of the helpers that invalidate\npacket pointers. Hence, conservatively assume that each tail call\ninvalidates packet pointers.\n\nMaking the change in bpf_helper_changes_pkt_data() automatically makes\nuse of check_cfg() logic that computes 'changes_pkt_data' effect for\nglobal sub-programs, such that the following program could be\nrejected:\n\n    int tail_call(struct __sk_buff *sk)\n    {\n    \tbpf_tail_call_static(sk, &jmp_table, 0);\n    \treturn 0;\n    }\n\n    SEC("tc")\n    int not_safe(struct __sk_buff *sk)\n    {\n    \tint *p = (void *)(long)sk->data;\n    \t... make p valid ...\n    \ttail_call(sk);\n    \t*p = 42; /* this is unsafe */\n    \t...\n    }\n\nThe tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that\ncan invalidate packet pointers. Otherwise, it can't be freplaced with\ntailcall_freplace.c:entry_freplace() that does a tail call.(CVE-2024-58237)\n\nIn the Linux kernel, the following vulnerability has been resolved:filemap: avoid truncating 64-bit offset to 32 bitsOn 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a64-bit value to 32 bits, leading to a possible infinite loop when writingto an xfs filesystem.(CVE-2025-21665)\n\nIn the Linux kernel, the following vulnerability has been resolved:partitions: mac: fix handling of bogus partition tableFix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the   preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes   (which results in partition table entries straddling sector boundaries),   bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL   termination - use strnlen() and strncmp() instead of strlen() and   strcmp().(CVE-2025-21772)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix oops when unload drivers paralleling\n\nWhen unload hclge driver, it tries to disable sriov first for each\nae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at\nthe time, because it removes all the ae_dev nodes, and it may cause\noops.\n\nBut we can't simply use hnae3_common_lock for this. Because in the\nprocess flow of pci_disable_sriov(), it will trigger the remove flow\nof VF, which will also take hnae3_common_lock.\n\nTo fixes it, introduce a new mutex to protect the unload process.(CVE-2025-21802)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsctp: detect and prevent references to a freed transport in sendmsg\n\nsctp_sendmsg() re-uses associations and transports when possible by\ndoing a lookup based on the socket endpoint and the message destination\naddress, and then sctp_sendmsg_to_asoc() sets the selected transport in\nall the message chunks to be sent.\n\nThere's a possible race condition if another thread triggers the removal\nof that selected transport, for instance, by explicitly unbinding an\naddress with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have\nbeen set up and before the message is sent. This can happen if the send\nbuffer is full, during the period when the sender thread temporarily\nreleases the socket lock in sctp_wait_for_sndbuf().\n\nThis causes the access to the transport data in\nsctp_outq_select_transport(), when the association outqueue is flushed,\nto result in a use-after-free read.\n\nThis change avoids this scenario by having sctp_transport_free() signal\nthe freeing of the transport, tagging it as "dead". In order to do this,\nthe patch restores the "dead" bit in struct sctp_transport, which was\nremoved in\ncommit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").\n\nThen, in the scenario where the sender thread has released the socket\nlock in sctp_wait_for_sndbuf(), the bit is checked again after\nre-acquiring the socket lock to detect the deletion. This is done while\nholding a reference to the transport to prevent it from being freed in\nthe process.\n\nIf the transport was deleted while the socket lock was relinquished,\nsctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the\nsend.\n\nThe bug was found by a private syzbot instance (see the error report [1]\nand the C reproducer that triggers it [2]).(CVE-2025-23142)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too\n\nSimilarly to the previous patch, we need to safe guard hfsc_dequeue()\ntoo. But for this one, we don't have a reliable reproducer.(CVE-2025-37823)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: drr: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard's report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc's enqueue callback reentrant.\nIn the case of drr, there won't be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether the\nclass was already added to the active_list (cl_is_active) before adding\nto the list to cover for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/(CVE-2025-37915)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during ->change()\n\nPreviously, when reducing a qdisc's limit via the ->change() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch->limit against sch->q.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their ->change() routines.(CVE-2025-37992)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n\nLei Lu recently reported that nfsd4_setclientid_confirm() did not check\nthe return value from get_client_locked(). a SETCLIENTID_CONFIRM could\nrace with a confirmed client expiring and fail to get a reference. That\ncould later lead to a UAF.\n\nFix this by getting a reference early in the case where there is an\nextant confirmed client. If that fails then treat it as if there were no\nconfirmed client found at all.\n\nIn the case where the unconfirmed client is expiring, just fail and\nreturn the result from get_client_locked().(CVE-2025-38724)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2025-39898)\n\nIn the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg. Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg().(CVE-2025-39971)\n\nIn the Linux kernel, a buffer overflow vulnerability exists in the target_lu_gp_members_show function in target_core_configfs.c. The vulnerability arises from the usage of snprintf to write into the buffer "buf" without checking the return value length. When the total formatted string length exceeds LU_GROUP_NAME_BUF (256 bytes), it may cause a buffer overflow. Since snprintf() returns the total number of bytes that would have been written, this value may exceed the buffer length (256 bytes) passed to memcpy(), ultimately causing the memcpy function to report a buffer overflow error. Adding an additional check of the return value of snprintf() can avoid this buffer overflow.(CVE-2025-39998)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-287.0.0.189.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","perf-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-287.0.0.189.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-287.0.0.189.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","perf-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-287.0.0.189.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2554"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50306"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4244"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53454"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53615"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53675"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53711"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53722"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53728"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50210"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53168"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53214"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56602"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56616"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57904"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57906"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57931"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-58052"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-58093"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-58237"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21665"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21772"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21802"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23142"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37823"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37992"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38724"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39898"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39971"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39998"}],"database_specific":{"severity":"High"}}